Hong Kong privacy commission makes biometric warnings
03 August 2015 14:49 GMT

Hong Kong's privacy commissioner has warned that the proliferation of cheaper biometric technology should not dilute companies' attitudes to the collection and storage of biometric data.

In a guidance note on the collection and use of biometric data, the Office of the Privacy Commissioner for Personal Data (PCPD) said it aims to provide comprehensive advice to organisations considering biometric technologies.

The note writes that PCPD views biometric data to be highly “sensitive” personal data expects it to be treated in accordance with strict controls

“The key message is that organisations should not blindly implement, for example, fingerprint recognition devices without assessing the privacy risks and justifications, considering less privacy-intrusive measures, or offering individuals a free and informed choice and appropriate controls,” wrote the commissioner.

It also notes that this guidance note also follows recent “enforcement action” against a company who used a fingerprint recognition device for security and staff monitoring purposes in breach of the PDPO.

In its report, the commissioner notes that the the PCPD expects organisations to exercise “extreme caution” when collecting, using and retaining biometric data.

“Organisations are strongly advised to assess and document their reasoning when implementing biometric data technologies as to why it is necessary and proportionate.”

"This Guidance replaces a previous guidance note which only dealt with fingerprint data," Anna Gamvros, Partner at Baker & McKenzie, told DataGuidance.

"In this new, quite detailed publication, the PCPD addresses a broader scope of biometric data. What is interesting, is that this Guidance seeks to stretch the concepts of personal data in the privacy law by distinguishing between different levels of sensitivity in personal data."

A day after the publication of the Guidance, on 21 July 2015, the PCPD released an investigation report following complaints about the excessive collection of employees' fingerprints by a fashion trading company called Queenix. The PCPD found that the company was in breach of the Ordinance and issued an enforcement notice requesting the company to cease the collection of fingerprint data and to destroy the ones collected from past and present employees, quoting the Guidance for reference.