Privacy Commissioner Marie Shroff says ICT developers intending to use biometrics should adopt a principle of "privacy by design".
Like security, privacy should be built in from the beginning of the design, not bolted on as an afterthought, she told a conference of the Biometrics Institute last month.
When she last addressed the biometrics industry, in 2004, she suggested biometrics, then a young field, was a potential target for specific regulation, such as a privacy code under New Zealand's Privacy Act, if there was cause for concern.
"I told them 'we will be watching you'." Six years later, she is still in the same watching and waiting position. Though she "prefers the carrot to the stick", Shroff told the conference "I can still impose regulation; it is never off the table."
She approved of the Biometrics Institute, an international organisation, having developed a code of its own.
This has been approved by the Australian Privacy Commissioner. The New Zealand government last year produced a set of "guiding principles" for the use of biometrics technologies.
The Law Commission is meanwhile still developing its series of papers on privacy, which may well result in changes to the Privacy Act. While biometrics were only given a six-paragraph mention in the 500 pages of the Law Commission's latest report, there could be further proposals for control.
However, if vendors and implementers of biometrics take heed of the Privacy Act's principles, in the way they devise their systems and manage the data, then new regulation may not be needed, Shroff says.
With public concern over terrorism biometrics has gained more acceptance with the New Zealand and Australian public, according to Unisys, one of the main sponsors of the conference. It conducts periodic surveys on the subject.
Aaron Baker, group manager identity and biometrics from the Department of Labour, told the conference the use of biometrics was provided for in the Immigration Act, 2009 and approval of specific applications needs only an Order in Council. The Australian SmartGate system, which uses face recognition, is already in place at Auckland International Airport.
The New Zealand immigration unit is participating in a five-country collaborative development of biometrics-aided immigration procedures, along with Australia, the UK, the US and Canada.
The unit is taking the Privacy Commissioner's advice and will build privacy into any such system, Baker says. In 2008 a preliminary Request for Information document sought to ensure that "our early thinking was consistent with privacy principles", he says. A full Privacy Impact Assessment is now under way.
The Department of Labour issued a request to tender for evaluation of biometrics for use in immigration in March.
Ever more advanced technology of image morphing is improving opportunities for evading a system based on simple visual inspection of a photograph. Baker says; professionals will morph a photograph so it looks like the false applicant, while not being too far away from the face of the document's legitimate owner.
This technique has been used particularly to qualify non-English speakers for English-language immigration tests by substituting a fluent stand-in.