Out-Law News 2 min. read
11 Aug 2015, 10:29 am
Hong Kong's privacy watchdog, the Office of the Privacy Commissioner for Personal Data, has published new guidance on the collection and use of biometric data (10-page / 384KB PDF).
Data protection law expert Paul Haswell of Pinsent Masons, the law firm behind Out-Law.com said the guidance offers a "timely reminder" to organisations that biometric data is classed as personal data. This means that its collection and use is subject to the Personal Data (Privacy) Ordinance that applies in Hong Kong as well as most other data privacy legislation around the world, he said.
"Individuals are surrendering, and organisations are gathering, more biometric data than ever before, be it through smart wearables, health apps or purely as part of applications for identity documents," Haswell said. "This information is valuable, but in the wrong hands can be used in ways which cause great detriment to the data subject, such as through ID theft, and corporate or financial institutions, via fraud. Data users should be as protective of people's biometric data as they are their credit card number or bank account details."
According to the privacy commissioner's new guidance, the extent of the data security measures organisations must apply to biometric data will depend on how sensitive the data is.
"The appropriateness of the collection of biometric data and the precautions to be taken to protect such data collected vary with the level of sensitivity of the biometric data concerned," the guidance said. "Data user must consider the sensitive nature of the data concerned, which depends on a number of factors."
Factors determining the sensitivity of biometric data include whether or not the information is unique to an individual, whether the data is likely to change over time and whether the data can reveal more information about a person than for the purpose of its original collection, the guidance said.
In addition, other factors like whether the data can be covertly collected and what the impact would be on individuals if the information was leaked will also help determine the sensitivity of biometric data, the privacy commissioner said.
The watchdog said that organisations must only collect biometric data where it is justified. To make this determination, organisations must consider both what they intend to collect biometric data for and the method of collecting the data, it said.
"There is no hard and fast rule in determining whether collection of biometric data is 'necessary and not excessive'," the privacy commissioner's guidance said. "Given the wide range of sensitivity of biometric data, data users who intend to collect biometric data must first consider whether such collection is necessary at all. To this end, they are encouraged to conduct a [privacy impact assessment (PIA)], which is a systemic process that evaluates a proposal in terms of its impact upon personal data privacy. Engaging a PIA could help to avoid or minimise the adverse impact to the individuals concerned."
Where the collection of biometric data is for a justifiable purpose, organisations must still ensure that the subjects of that data are given a "free and informed choice" over whether to allow their biometric data to be collected, it said.
