Skip to content

My Business Collects Biometric Information. What Are My Privacy Obligations?

As a business owner collecting biometric data, you must understand your privacy obligations. We live in a world where data has become a commodity. For many individuals, understanding how and when their personal information is collected and used is of increasing concern. 

In Australia, certain businesses must comply with the Australian Privacy Principles as set out in the Privacy Act, which regulates how the business can collect, store, use and disclose different types of personal information. These businesses are referred to as APP Entities. Businesses that are APP entities need to be mindful of how and why they collect any personal information, including biometric information.

This article will discuss biometric information, your obligations when collecting it, the consequences of improper collection and additional considerations that businesses must consider.

What is Biometric Information?  

Under the laws outlining federal privacy obligations in Australia, personal information is any information or opinion about an individual that can identify a person. Personal information encompasses all sensitive information. 

Sensitive information includes information about an individual’s:

  • racial or ethnic origin;
  • political opinions or associations;
  • religious or philosophical beliefs;
  • trade union membership or associations;
  • sexual orientation or practices;
  • criminal record;
  • health or genetic information; and
  • biometric information.

Due to its sensitive nature, sensitive information attracts additional protection. Consequently, you must handle it differently. This is because the individual concerned could face discrimination or harm if their sensitive information is mishandled.

In short, biometric information is an electronic record of your: 

  • face;
  • fingerprints;
  • iris;
  • palm;
  • signature; or 
  • voice. 

While it may sound niche, the collection and use of biometric information is expanding significantly in both the public and private sectors. 

Take, for example, the fingerprint scan or facial recognition technology used in most smartphones. This is one example of biometric information we share almost daily.

Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

Obligations When Collecting Biometric Information

You may only collect biometric information to identify an individual or via an automated biometric verification system if: 

  • the information is collected, used and stored lawfully; or 
  • it is necessary to prevent a serious threat to the life, health or safety of the individual.

Let us explore the lawful ways you may collect biometric information.

Consent

If you are collecting any type of sensitive information, with some exceptions, you must first obtain consent from the individual. The OAIC guidelines state that the individual must expressly consent to provide their sensitive information. Express consent must be open and obvious, either verbally or in writing. Where possible, it should not be bundled and should give the individual the opportunity to opt out. 

Furthermore, for consent to be valid, it must meet further characteristics.

1. Informed 

Providing informed consent means that the individual is aware of the consequences of giving or not giving their consent. Ensuring the consent you receive is informed involves explaining how you handle personal information (such as through a privacy policy) and communicating in simple, plain English.

2. Voluntary

Voluntary consent can only be given where the individual is not forced, pressured or coerced to give the consent. This means there should be an option not to consent, and the consequences of not consenting should not be serious.

3. Current and Specific

Consent is temporary and must only be requested for specific circumstances and at a particular time. You cannot ask for the consent of an individual to collect their sensitive information indefinitely. 

4. Given With Capacity

The capacity to consent means the individual understands that they have the option of giving or not giving their consent, the consequences if they do not, that the consent is based on reason, and the individual can communicate their decision. Consent can be taken from someone with the proper authority to act on the individual’s behalf.

Purpose

Regardless of having valid consent from the individual or not, you must only collect sensitive and biometric information where it is reasonably necessary for the functions and activities of your business. When obtaining consent from the individual, you must clearly outline the primary purpose for collecting the sensitive information. Unless an exception applies, you can only disclose sensitive information for an additional purpose if the individual consents. Otherwise, the individual must reasonably expect the secondary disclosure, and that disclosure must be directly related to the primary purpose.

Storage

Businesses must take reasonable steps to protect any personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure.  Given biometric information is highly sensitive, the business will need to ensure the information is protected at a high standard. Therefore, businesses must take active and clear measures to protect any biometric information they hold.

Destruction

Once the purpose for which the business collected the sensitive information has expired, or the business no longer needs the information, it must take reasonable steps to destroy or de-identify it. Again, given the highly sensitive nature of biometric information, any process undertaken by a business to destroy the information must be thorough. How a business undertakes this process will vary on a case-by-case basis. Destruction is not necessary if the business is required by law or a court or tribunal order to retain the information. 

Continue reading this article below the form
Loading form

Key Takeaways

As a business collecting biometric information, you must ensure you comply with the Australian Privacy Principles (APP). These obligations include obtaining consent, using the information for the stated collection purpose, storing it securely, and, when no longer required, destroying the information thoroughly.

If you need help understanding your privacy obligations, our experienced contract lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Tim Jones

Tim Jones

Senior Lawyer | View profile

Tim is a Senior Lawyer in LegalVision’s Employment, Corporate and Commercial teams.

Qualifications: Bachelor of Laws, Bachelor of International Studies, Macquarie University.

Read all articles by Tim

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards