With the Universal Community Testing Programme for COVID-19 detection by the Hong Kong Government and temperature screening in the workplace, the collection and use of biometric data (such as DNA samples, fingerprints and facial images) have raised concerns among the public. In August 2020, the Privacy Commissioner (PC) has updated its guidance note on how data users should collect and use biometric data in compliance with the Personal Data (Privacy) Ordinance (Guidance Note).
The fundamentals
The PC makes clear that as biometric data often contains one’s intimate information, the collection, use and protection of such data should be handled with caution and in accordance with the level of sensitivity of the data concerned.
As with all personal data, the collection of biometric data must be for a lawful purpose related directly to the data users’ function and activity and collection of biometric data must be necessary for that purpose. Even if necessary, the minimum biometric data should be collected to achieve that purpose.
Data users are encouraged to conduct a privacy impact assessment (PIA) to consider the need and extent of collection, as well as whether less intrusive options are available. Data subjects should be given a free and informed choice upon collection of their biometric data, together with a full explanation of the personal data privacy impact of the collection of such data, especially when there is disparity in negotiating power between the data user and the data subject.
Given the sensitivity of biometric data and its potential adverse use against the data subject, data users should ensure that the data held is accurate and secure, as well as deleted once it is no longer required for the purpose for which it was collected. The biometric data must not be used for an unrelated purpose, without the express and voluntary consent of data subjects, or a lawful exemption.
What's new?
Some of the important additional guidelines set out in the updated Guidance Note are as follows:-
- Clarifying how to determine whether the use of biometric data is a proportionate measure to achieve the intended purpose. The PC suggests that data users refer to the four-stage proportionality test laid down in Hysan Development Co Ltd v Town Planning Board [2016] HKCFA 66 which provides that data users should consider whether the measure:
- pursues a legitimate aim;
- is rationally connected with achieving that aim;
- is no more than necessary for advancing that aim; and
- whether a reasonable balance is struck between the societal benefits of the encroachment of rights and the protected rights of the affected individuals.
It is recognised that covert collection of biometric data is highly intrusive and may have a negative impact of an individual’s privacy, dignity and other rights. In conformity with the principles of transparency and fair collection, biometric data should not be covertly collected (such as via facial recognition enabled cameras) unless there is a lawful basis that authorises such collection in specified circumstances.
- Given that biometric technologies have different degrees of precision and accuracy in identifying data subjects, it is not advisable to adopt automated decision-making with the aid of biometric systems, without conducting a PIA. As a matter of good practice, if automated decision-making tools are to be used in conjunction with such systems, then clear prior notice should be given to affected individuals as to the existence and likely impact of such tools. Individuals should also have the option of seeking human intervention where the automated decision-making is likely to produce significant effect on them.
- As a matter of good practice, data users should conduct periodic, independent audits and evaluation of biometric systems to assess the need for modification, improvement or termination. The paramount consideration of “necessity and proportionality” should be revisited upon such audits.
The way ahead
The collection of biometric data is increasingly ubiquitous, and concerns over security and privacy is likely to escalate, as more organisations look to biometric technologies as an authentication and security tool. With the GDPR classifying biometric data as “Sensitive Personal Data”, and China’s recent introduction of more stringent requirements to regulate the handling of “Biometric Identification Information”, it should be noted that recent proposals to reform Hong Kong’s Personal Data Privacy Ordinance, include the introduction of a specific definition of “sensitive personal data”, which could cover biometric data. Organisations planning to make use of biometric data need to be alert to compliance issues in this controversial area. In the meantime, the updated Guidance Note serves as an important reminder of Hong Kong’s current position.
|