As a business owner collecting biometric data, you must understand your privacy obligations. We live in a world where data has become a commodity. For many individuals, understanding how and when their personal information is collected and used is of increasing concern.
In Australia, certain businesses must comply with the Australian Privacy Principles as set out in the Privacy Act, which regulates how the business can collect, store, use and disclose different types of personal information. These businesses are referred to as APP Entities. Businesses that are APP entities need to be mindful of how and why they collect any personal information, including biometric information.
This article will discuss biometric information, your obligations when collecting it, the consequences of improper collection and additional considerations that businesses must consider.
What is Biometric Information?
Under the laws outlining federal privacy obligations in Australia, personal information is any information or opinion about an individual that can identify a person. Personal information encompasses all sensitive information.
Sensitive information includes information about an individual’s:
- racial or ethnic origin;
- political opinions or associations;
- religious or philosophical beliefs;
- trade union membership or associations;
- sexual orientation or practices;
- criminal record;
- health or genetic information; and
- biometric information.
In short, biometric information is an electronic record of your:
- face;
- fingerprints;
- iris;
- palm;
- signature; or
- voice.
While it may sound niche, the collection and use of biometric information is expanding significantly in both the public and private sectors.
Take, for example, the fingerprint scan or facial recognition technology used in most smartphones. This is one example of biometric information we share almost daily.

This fact sheet outlines the changes to data and privacy protection in 2023.
Obligations When Collecting Biometric Information
You may only collect biometric information to identify an individual or via an automated biometric verification system if:
- the information is collected, used and stored lawfully; or
- it is necessary to prevent a serious threat to the life, health or safety of the individual.
Let us explore the lawful ways you may collect biometric information.
Consent
If you are collecting any type of sensitive information, with some exceptions, you must first obtain consent from the individual. The OAIC guidelines state that the individual must expressly consent to provide their sensitive information. Express consent must be open and obvious, either verbally or in writing. Where possible, it should not be bundled and should give the individual the opportunity to opt out.
Furthermore, for consent to be valid, it must meet further characteristics.
1. Informed
Providing informed consent means that the individual is aware of the consequences of giving or not giving their consent. Ensuring the consent you receive is informed involves explaining how you handle personal information (such as through a privacy policy) and communicating in simple, plain English.
2. Voluntary
Voluntary consent can only be given where the individual is not forced, pressured or coerced to give the consent. This means there should be an option not to consent, and the consequences of not consenting should not be serious.
3. Current and Specific
Consent is temporary and must only be requested for specific circumstances and at a particular time. You cannot ask for the consent of an individual to collect their sensitive information indefinitely.
4. Given With Capacity
The capacity to consent means the individual understands that they have the option of giving or not giving their consent, the consequences if they do not, that the consent is based on reason, and the individual can communicate their decision. Consent can be taken from someone with the proper authority to act on the individual’s behalf.
Purpose
Regardless of having valid consent from the individual or not, you must only collect sensitive and biometric information where it is reasonably necessary for the functions and activities of your business. When obtaining consent from the individual, you must clearly outline the primary purpose for collecting the sensitive information. Unless an exception applies, you can only disclose sensitive information for an additional purpose if the individual consents. Otherwise, the individual must reasonably expect the secondary disclosure, and that disclosure must be directly related to the primary purpose.
Storage
Businesses must take reasonable steps to protect any personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Given biometric information is highly sensitive, the business will need to ensure the information is protected at a high standard. Therefore, businesses must take active and clear measures to protect any biometric information they hold.
Destruction
Once the purpose for which the business collected the sensitive information has expired, or the business no longer needs the information, it must take reasonable steps to destroy or de-identify it. Again, given the highly sensitive nature of biometric information, any process undertaken by a business to destroy the information must be thorough. How a business undertakes this process will vary on a case-by-case basis. Destruction is not necessary if the business is required by law or a court or tribunal order to retain the information.
Continue reading this article below the formKey Takeaways
As a business collecting biometric information, you must ensure you comply with the Australian Privacy Principles (APP). These obligations include obtaining consent, using the information for the stated collection purpose, storing it securely, and, when no longer required, destroying the information thoroughly.
If you need help understanding your privacy obligations, our experienced contract lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.