With the Universal Community Testing Programme for COVID-19 detection by the Hong Kong Government and temperature screening in the workplace, the collection and use of biometric data (such as DNA samples, fingerprints and facial images) have raised concerns among the public. In August 2020, the Privacy Commissioner (PC) has updated its guidance note on how data users should collect and use biometric data in compliance with the Personal Data (Privacy) Ordinance (Guidance Note).
The PC makes clear that as biometric data often contains one’s intimate information, the collection, use and protection of such data should be handled with caution and in accordance with the level of sensitivity of the data concerned.
As with all personal data, the collection of biometric data must be for a lawful purpose related directly to the data users’ function and activity and collection of biometric data must be necessary for that purpose. Even if necessary, the minimum biometric data should be collected to achieve that purpose.
Data users are encouraged to conduct a privacy impact assessment (PIA) to consider the need and extent of collection, as well as whether less intrusive options are available. Data subjects should be given a free and informed choice upon collection of their biometric data, together with a full explanation of the personal data privacy impact of the collection of such data, especially when there is disparity in negotiating power between the data user and the data subject.
Given the sensitivity of biometric data and its potential adverse use against the data subject, data users should ensure that the data held is accurate and secure, as well as deleted once it is no longer required for the purpose for which it was collected. The biometric data must not be used for an unrelated purpose, without the express and voluntary consent of data subjects, or a lawful exemption.
Some of the important additional guidelines set out in the updated Guidance Note are as follows:-
It is recognised that covert collection of biometric data is highly intrusive and may have a negative impact of an individual’s privacy, dignity and other rights. In conformity with the principles of transparency and fair collection, biometric data should not be covertly collected (such as via facial recognition enabled cameras) unless there is a lawful basis that authorises such collection in specified circumstances.
The way ahead
The collection of biometric data is increasingly ubiquitous, and concerns over security and privacy is likely to escalate, as more organisations look to biometric technologies as an authentication and security tool. With the GDPR classifying biometric data as “Sensitive Personal Data”, and China’s recent introduction of more stringent requirements to regulate the handling of “Biometric Identification Information”, it should be noted that recent proposals to reform Hong Kong’s Personal Data Privacy Ordinance, include the introduction of a specific definition of “sensitive personal data”, which could cover biometric data. Organisations planning to make use of biometric data need to be alert to compliance issues in this controversial area. In the meantime, the updated Guidance Note serves as an important reminder of Hong Kong’s current position.