1 00:00:05,880 --> 00:00:06,280 Speaker 1: Kyoda. 2 00:00:06,320 --> 00:00:09,400 Speaker 2: I'm Chelsea Daniels and this is the Front Page, a 3 00:00:09,520 --> 00:00:16,560 Speaker 2: daily podcast presented by the New Zealand Herald. New Zealand's 4 00:00:16,600 --> 00:00:21,239 Speaker 2: Privacy Commissioner has issued new rules around the automated use 5 00:00:21,360 --> 00:00:26,360 Speaker 2: of biometrics. Biometric processing is the use of tech like 6 00:00:26,400 --> 00:00:31,640 Speaker 2: a facial recognition to collect and process people's biometric information. 7 00:00:32,200 --> 00:00:34,760 Speaker 2: The code comes into force on the third of November 8 00:00:34,840 --> 00:00:39,479 Speaker 2: twenty twenty five today, but agencies already using it have 9 00:00:39,640 --> 00:00:43,080 Speaker 2: until the third of August next year to align themselves 10 00:00:43,120 --> 00:00:46,239 Speaker 2: with the new rules. Today on the Front Page, Privacy 11 00:00:46,240 --> 00:00:49,240 Speaker 2: Commissioner Michael Webster is with us to take us through 12 00:00:49,360 --> 00:00:52,840 Speaker 2: what all of this actually means and how we can 13 00:00:53,000 --> 00:01:01,240 Speaker 2: protect ourselves. First off, my well, You're probably asked this 14 00:01:01,360 --> 00:01:06,680 Speaker 2: a lot, but what exactly is biometric information? 15 00:01:07,240 --> 00:01:09,360 Speaker 3: Well, I guess that the simplest way to describe it 16 00:01:09,480 --> 00:01:16,600 Speaker 3: is each individual's physical and behavioral characteristics, personal. 17 00:01:16,280 --> 00:01:19,560 Speaker 4: Information about them and the ones I think most people 18 00:01:19,560 --> 00:01:25,160 Speaker 4: will be familiar with things like fingerprint scans, iris scanning, 19 00:01:25,640 --> 00:01:29,000 Speaker 4: and of course increasingly we've seen here in New Zealand 20 00:01:29,040 --> 00:01:32,560 Speaker 4: facial recognition technology or FRT. Those are the sorts of 21 00:01:33,080 --> 00:01:37,800 Speaker 4: biometric information processings that we have seen here in this. 22 00:01:37,720 --> 00:01:41,240 Speaker 2: Country, right, So instead of something that only happens in 23 00:01:41,280 --> 00:01:45,479 Speaker 2: a Tom Cruise movie, it's increasingly happening in real life. 24 00:01:45,480 --> 00:01:47,960 Speaker 2: Can you give us some examples, sure. 25 00:01:48,280 --> 00:01:50,200 Speaker 4: I guess two of the most common are there's a 26 00:01:50,280 --> 00:01:54,440 Speaker 4: number of workplaces, for example, where there are sensitive areas, 27 00:01:54,600 --> 00:01:58,559 Speaker 4: and some workplaces are now using fingerprint scanning for people 28 00:01:58,600 --> 00:02:01,400 Speaker 4: to be able to eat into those places. I think 29 00:02:01,440 --> 00:02:04,000 Speaker 4: many people will be already familiar with the use of 30 00:02:04,280 --> 00:02:08,120 Speaker 4: IRIS scanning to unlock IT programs or devices that sort 31 00:02:08,160 --> 00:02:11,080 Speaker 4: of thing. And of course in New Zealand will be 32 00:02:11,080 --> 00:02:14,919 Speaker 4: familiar with the recent trial that Foodstuffs Northilent did of 33 00:02:14,960 --> 00:02:19,720 Speaker 4: the use of FRT to address some serious harm retail 34 00:02:19,760 --> 00:02:21,200 Speaker 4: crime issues that they were having. 35 00:02:21,600 --> 00:02:25,839 Speaker 2: So what prompted the introduction of this new biometric code. 36 00:02:26,400 --> 00:02:29,720 Speaker 4: Well, we've been scanning both what's happening internationally and here 37 00:02:30,480 --> 00:02:36,200 Speaker 4: in New Zealand, and increasingly businesses other agencies are using 38 00:02:37,000 --> 00:02:42,280 Speaker 4: technological developments to either improve their customer service or to 39 00:02:42,639 --> 00:02:45,600 Speaker 4: deliver on their objectives. And so inevitably there's going to 40 00:02:45,639 --> 00:02:49,120 Speaker 4: be we think a greater use of BIOMESHP technologies by 41 00:02:49,240 --> 00:02:50,440 Speaker 4: organizations out there. 42 00:02:50,720 --> 00:02:53,640 Speaker 3: And we wanted to make sure that both in the 43 00:02:53,639 --> 00:02:54,280 Speaker 3: public and the. 44 00:02:54,200 --> 00:02:58,640 Speaker 4: Private sector, that this country was ready for that coming 45 00:02:58,760 --> 00:03:01,840 Speaker 4: wave of a bit of uses of this sort of technology. 46 00:03:02,120 --> 00:03:05,359 Speaker 2: Right, So I'm walking around the supermarket and obviously all 47 00:03:05,360 --> 00:03:08,040 Speaker 2: the cameras are catching me what I'm picking up, and 48 00:03:08,080 --> 00:03:10,480 Speaker 2: how I'm walking, and what I look like and everything. 49 00:03:10,639 --> 00:03:13,960 Speaker 2: What can the supermarket then now do with that information 50 00:03:14,480 --> 00:03:15,880 Speaker 2: now that there's a code in place. 51 00:03:16,760 --> 00:03:18,880 Speaker 4: Well, in the past, of course, you would have been 52 00:03:18,880 --> 00:03:21,480 Speaker 4: watched by a CCTV which would have just been recording you, 53 00:03:21,840 --> 00:03:23,800 Speaker 4: and then a person would have been looking at that 54 00:03:23,880 --> 00:03:26,799 Speaker 4: to see what you're up to. Now, for example, if 55 00:03:26,840 --> 00:03:30,959 Speaker 4: someone has threatened a staff member or engaged in assault 56 00:03:31,720 --> 00:03:36,680 Speaker 4: at for example, a supermarket or a hardware store, they 57 00:03:37,240 --> 00:03:40,640 Speaker 4: might go onto what's called a watch list, a group 58 00:03:40,680 --> 00:03:43,000 Speaker 4: of people who, for example, have been trespassed and are 59 00:03:43,000 --> 00:03:45,240 Speaker 4: not allowed to back in. And so when you come 60 00:03:45,280 --> 00:03:49,080 Speaker 4: in again, what the biometric technology can do through the 61 00:03:49,160 --> 00:03:53,400 Speaker 4: camera system is match your face with the face that's 62 00:03:53,440 --> 00:03:56,200 Speaker 4: on the watch list. So that kind of I guess 63 00:03:56,360 --> 00:04:02,480 Speaker 4: verification process there, identification process, and then the store because 64 00:04:02,480 --> 00:04:04,440 Speaker 4: there always needs to be human oversight the stalk and 65 00:04:04,480 --> 00:04:05,800 Speaker 4: then decide what to do about that. 66 00:04:05,840 --> 00:04:09,520 Speaker 3: Whether to call the police to approach you directly. Those 67 00:04:09,520 --> 00:04:10,839 Speaker 3: are the choices open to them. 68 00:04:11,200 --> 00:04:13,320 Speaker 2: Right, So if I go back in wearing a fake 69 00:04:13,440 --> 00:04:18,040 Speaker 2: mustache and a wig, and will it pick me up? 70 00:04:18,120 --> 00:04:18,800 Speaker 3: Is it that good? 71 00:04:19,880 --> 00:04:25,480 Speaker 4: Some models of facial recognition technology, some biometric technology is 72 00:04:25,560 --> 00:04:29,760 Speaker 4: that good? It comes back to a question about what 73 00:04:29,839 --> 00:04:33,800 Speaker 4: level do you set the accuracy reading? And one of 74 00:04:33,839 --> 00:04:37,000 Speaker 4: the discussions we've had with New zeal organizations is ensuring 75 00:04:37,800 --> 00:04:41,080 Speaker 4: that you don't leave yourself at the risk of misidentification 76 00:04:41,760 --> 00:04:44,240 Speaker 4: or incorrectly accusing somebody of being on a watch list 77 00:04:44,279 --> 00:04:47,920 Speaker 4: when they're not, because that is incredibly harmful and damaging 78 00:04:47,920 --> 00:04:50,720 Speaker 4: and upsetting for individuals. And so you want to be 79 00:04:50,760 --> 00:04:54,840 Speaker 4: able to set the match I guess criteria quite high, 80 00:04:55,040 --> 00:04:56,520 Speaker 4: and you want to be able to use a very 81 00:04:56,560 --> 00:05:09,120 Speaker 4: reliable and good biometric technology product software that sort of thing. Unfortunately, 82 00:05:09,520 --> 00:05:12,080 Speaker 4: even if you could make it through every other security measure, 83 00:05:12,600 --> 00:05:15,240 Speaker 4: you won't be the last one. That's because it's protected 84 00:05:15,240 --> 00:05:18,000 Speaker 4: by gait analysis, the step beyond facial recognition. 85 00:05:18,640 --> 00:05:22,080 Speaker 1: These cameras actually know how the agent walks, how he talks, 86 00:05:22,080 --> 00:05:24,719 Speaker 1: how he moves, write down to facial tics. 87 00:05:25,400 --> 00:05:27,240 Speaker 3: So what you're saying is no mask can be to. 88 00:05:29,760 --> 00:05:30,040 Speaker 1: A right. 89 00:05:30,200 --> 00:05:34,440 Speaker 2: How does this code differ from privacy laws we already 90 00:05:34,480 --> 00:05:35,120 Speaker 2: have in place. 91 00:05:35,600 --> 00:05:38,120 Speaker 4: Sure, so we already have here in New Zealand our 92 00:05:38,160 --> 00:05:42,480 Speaker 4: own New Zealand Privacy Act in biometric technology, biometric information, 93 00:05:42,600 --> 00:05:46,599 Speaker 4: like all personal information, was already gaverned under the Privacy Act. 94 00:05:46,839 --> 00:05:50,640 Speaker 4: What this does though, is I guess clarify and strength 95 00:05:50,680 --> 00:05:54,720 Speaker 4: and some of the requirements on organizations thinking about using 96 00:05:54,760 --> 00:05:55,599 Speaker 4: this technology. 97 00:05:56,240 --> 00:05:59,320 Speaker 3: So now, for example, they need to go through a 98 00:05:59,360 --> 00:06:00,560 Speaker 3: deliberate process of. 99 00:06:00,560 --> 00:06:06,040 Speaker 4: Considering whether they have privacy safeguards in place. For example, 100 00:06:06,160 --> 00:06:11,520 Speaker 4: with facial recognition technology, the Footsteps Northland trial had a 101 00:06:11,560 --> 00:06:14,400 Speaker 4: system of immediate deletion of non matches, so they didn't 102 00:06:14,400 --> 00:06:17,599 Speaker 4: build up this giant database of Kiley spaces if you 103 00:06:17,600 --> 00:06:19,800 Speaker 4: see what I mean, they would immediately deleted. That would 104 00:06:19,800 --> 00:06:24,200 Speaker 4: be a privacy safeguard. We expect under the code greater transparency. 105 00:06:24,800 --> 00:06:28,720 Speaker 4: So if you go into a business that's using biometric technology, 106 00:06:28,720 --> 00:06:32,360 Speaker 4: we would expect there to be very visible signage, whether 107 00:06:32,360 --> 00:06:35,840 Speaker 4: it's from employees or customers, saying that it's in use. 108 00:06:36,560 --> 00:06:38,240 Speaker 4: And we also want people to go through a very 109 00:06:38,279 --> 00:06:43,039 Speaker 4: careful process of working out whether the proposed used is 110 00:06:43,080 --> 00:06:47,080 Speaker 4: actually proportionate to the problem or the gain that you're 111 00:06:47,080 --> 00:06:52,640 Speaker 4: looking to achieve. So will the privacy risks be outweighed 112 00:06:52,680 --> 00:06:56,920 Speaker 4: by the benefits from using that technology? Is it basically necessary? 113 00:06:57,520 --> 00:07:00,560 Speaker 4: Is it justified? Is it effective for your to use? 114 00:07:00,760 --> 00:07:01,760 Speaker 4: Is it proportionate? 115 00:07:02,279 --> 00:07:04,880 Speaker 2: I'm going to play Devil's advocate here because the first 116 00:07:04,880 --> 00:07:07,120 Speaker 2: thing that comes into my mind with this kind of 117 00:07:07,120 --> 00:07:11,880 Speaker 2: technology is brands looking at customers and seeing who picks 118 00:07:11,960 --> 00:07:16,119 Speaker 2: up their product. Who, you know, what their customer base 119 00:07:16,200 --> 00:07:20,560 Speaker 2: would be. So would this code protect your biometric information 120 00:07:20,680 --> 00:07:23,640 Speaker 2: from being used, say via marketing. 121 00:07:24,240 --> 00:07:27,520 Speaker 4: So there's a couple of things. That one is again 122 00:07:27,560 --> 00:07:30,560 Speaker 4: we should always remember that people have always been watched 123 00:07:30,600 --> 00:07:33,640 Speaker 4: while they're in stores with CCTV. That has always been 124 00:07:33,760 --> 00:07:36,080 Speaker 4: a feature as well as the people in the store 125 00:07:36,120 --> 00:07:38,680 Speaker 4: as well. One of the things we've done with this 126 00:07:38,760 --> 00:07:42,040 Speaker 4: code is that we've said there needs to be some 127 00:07:42,080 --> 00:07:46,160 Speaker 4: particular limits on its use, and one of those limits 128 00:07:46,240 --> 00:07:51,000 Speaker 4: is around what we would call inferential biometrics, such as 129 00:07:51,480 --> 00:07:56,480 Speaker 4: I guess, trying to read people's emotions or their mental state. So, 130 00:07:56,600 --> 00:08:00,760 Speaker 4: for example, have they appeared to be more excited when 131 00:08:00,800 --> 00:08:02,920 Speaker 4: they walk past the particular item of clothing then when 132 00:08:02,920 --> 00:08:05,720 Speaker 4: they walk past something else, those sorts of things, and 133 00:08:05,760 --> 00:08:09,280 Speaker 4: we've said, actually, unless there are particular exceptions in place, 134 00:08:09,840 --> 00:08:13,160 Speaker 4: we don't think biometric technology should be used for those purposes. 135 00:08:13,440 --> 00:08:17,679 Speaker 2: How does the code address particularly sensitive uses I suppose, 136 00:08:17,720 --> 00:08:21,760 Speaker 2: like profiling based on ethnicity or health even I. 137 00:08:21,760 --> 00:08:23,600 Speaker 4: Guess there's a couple of issues there that I mean. 138 00:08:23,600 --> 00:08:26,800 Speaker 4: The first is that there is always a risk with 139 00:08:26,920 --> 00:08:31,600 Speaker 4: the use of biometric technology around bias and profiling, and 140 00:08:31,640 --> 00:08:32,920 Speaker 4: that is why, for. 141 00:08:32,840 --> 00:08:33,760 Speaker 3: Example, to come. 142 00:08:33,640 --> 00:08:36,800 Speaker 4: Back to that earlier the ashue I talked about, you 143 00:08:36,840 --> 00:08:39,600 Speaker 4: need to be able to set the match criteria quite 144 00:08:39,600 --> 00:08:42,480 Speaker 4: a higher level. A lot of the biometric tools that 145 00:08:42,520 --> 00:08:46,679 Speaker 4: have been developed overseas aren't representative or reflectives of New 146 00:08:46,720 --> 00:08:50,520 Speaker 4: Zealand's population. They're not very good at recognizing people with 147 00:08:50,679 --> 00:08:53,360 Speaker 4: darker skin types as well, for example, And so you 148 00:08:53,440 --> 00:08:57,360 Speaker 4: need to be able to assure your customers because at 149 00:08:57,360 --> 00:08:59,080 Speaker 4: the end of the day, you want the trust and 150 00:08:59,080 --> 00:09:01,599 Speaker 4: confidence of your customtomers. You need to be able to 151 00:09:01,640 --> 00:09:06,199 Speaker 4: assure them that those that are matched are matched accurately. 152 00:09:06,760 --> 00:09:10,200 Speaker 3: And you also need to have pretty strict criteria if. 153 00:09:10,080 --> 00:09:13,640 Speaker 4: You're using it for say retail crime reasons around who 154 00:09:13,760 --> 00:09:15,400 Speaker 4: ends up on a watch list and why they end 155 00:09:15,480 --> 00:09:17,480 Speaker 4: up on a watch list. You've got to watch out 156 00:09:17,840 --> 00:09:20,680 Speaker 4: for any human bias coming into how the systems are. 157 00:09:20,640 --> 00:09:25,720 Speaker 2: Used, how will compliance be monitored or even enforced, and 158 00:09:25,760 --> 00:09:28,880 Speaker 2: what penalties might there be in place once the code 159 00:09:29,280 --> 00:09:29,840 Speaker 2: is enacted. 160 00:09:30,360 --> 00:09:34,400 Speaker 4: So the Code includes the same requirements and obligations on 161 00:09:34,840 --> 00:09:38,800 Speaker 4: businesses and organizations that exist in the current Privacy Act 162 00:09:39,520 --> 00:09:42,160 Speaker 4: at the moment. For example, if you feel that your 163 00:09:42,400 --> 00:09:46,360 Speaker 4: privacy rights have been intruded on or you've been treated 164 00:09:46,400 --> 00:09:50,040 Speaker 4: unfairly in terms of the management and protection of your 165 00:09:50,080 --> 00:09:53,000 Speaker 4: personal information, what we say is that you should first 166 00:09:53,000 --> 00:09:56,520 Speaker 4: approach the organization concerned and if you can't resolve your 167 00:09:56,559 --> 00:09:59,440 Speaker 4: concerns with them, you can and this is the same 168 00:09:59,520 --> 00:10:02,400 Speaker 4: under the code as well. You can complain to our 169 00:10:02,440 --> 00:10:06,360 Speaker 4: office and if we feel that your complaint has merit 170 00:10:06,360 --> 00:10:10,120 Speaker 4: in it, we will investigate further. We also have a 171 00:10:10,200 --> 00:10:13,360 Speaker 4: compliance and enforcement team and one of the roles that 172 00:10:13,400 --> 00:10:17,400 Speaker 4: they carry out is just generally doing proactive schemes across 173 00:10:17,880 --> 00:10:18,600 Speaker 4: what's going on. 174 00:10:18,600 --> 00:10:19,319 Speaker 3: In New Zealand. 175 00:10:20,080 --> 00:10:23,320 Speaker 4: One of the things about New Zealand is that they're 176 00:10:23,360 --> 00:10:25,720 Speaker 4: not shy these days about complaining and so if we 177 00:10:25,760 --> 00:10:28,440 Speaker 4: see for example, that there's an uptick and media stories 178 00:10:28,960 --> 00:10:32,800 Speaker 4: about a particular organization and how it's used. In biometric technology, 179 00:10:33,320 --> 00:10:35,040 Speaker 4: we have the right and the ability to go and 180 00:10:35,240 --> 00:10:36,120 Speaker 4: see what's going on. 181 00:10:36,920 --> 00:10:41,120 Speaker 2: What rights do individuals have regarding their biometric information? 182 00:10:42,080 --> 00:10:44,920 Speaker 4: Again, individuals have the same rights as they have under 183 00:10:44,960 --> 00:10:47,880 Speaker 4: the privacy X. So, for example, you have the right 184 00:10:47,920 --> 00:10:51,440 Speaker 4: for your information to be held securely. We don't want 185 00:10:52,000 --> 00:10:55,960 Speaker 4: people building up databases of personal information and then that 186 00:10:56,040 --> 00:10:58,959 Speaker 4: information being at risk from a cyber attack. 187 00:10:59,360 --> 00:11:03,840 Speaker 3: And I guess the key point here is that, for. 188 00:11:03,760 --> 00:11:09,480 Speaker 4: Example, I had my driver's license stolen through a cyber attack, 189 00:11:10,200 --> 00:11:12,120 Speaker 4: I can go and get a new driver's license, right, 190 00:11:12,160 --> 00:11:13,839 Speaker 4: I can get a new driver's license number. 191 00:11:13,960 --> 00:11:17,280 Speaker 3: That's okay. If I have my fingerprints stolen, or my 192 00:11:17,400 --> 00:11:20,560 Speaker 3: iris akain stolen, or my face stolen through a cyber attack, 193 00:11:21,200 --> 00:11:23,679 Speaker 3: that's not just information about me, that is me. If 194 00:11:23,679 --> 00:11:26,800 Speaker 3: you know what I mean, and you can't replace that, 195 00:11:26,960 --> 00:11:27,440 Speaker 3: it's gone. 196 00:11:27,640 --> 00:11:30,959 Speaker 4: It's out there, probably being sold on the dark web. 197 00:11:31,360 --> 00:11:34,240 Speaker 4: So individuals need to know and have the right to 198 00:11:34,280 --> 00:11:38,640 Speaker 4: head information looked at as securely. Information that has held 199 00:11:38,679 --> 00:11:40,680 Speaker 4: you also have a right to access as well. You 200 00:11:40,720 --> 00:11:44,120 Speaker 4: can ask organizations for the information they hold about you. 201 00:11:44,520 --> 00:11:47,200 Speaker 2: And you said that you looked internationally at what other 202 00:11:47,240 --> 00:11:49,960 Speaker 2: countries have been doing around these kind of codes and 203 00:11:50,000 --> 00:11:53,720 Speaker 2: this information. What kind of lessons did you guys learn, 204 00:11:53,960 --> 00:11:56,760 Speaker 2: either good or bad from what others are doing elsewhere. 205 00:11:57,559 --> 00:11:59,360 Speaker 4: Well, we're actually in a little bit of a catch 206 00:11:59,400 --> 00:12:02,600 Speaker 4: up mode here with this code. Other countries have for 207 00:12:02,679 --> 00:12:08,480 Speaker 4: quite a while now treated biometric information as sensitive personal 208 00:12:08,559 --> 00:12:11,520 Speaker 4: information because of its inherent nature that it is you, 209 00:12:12,360 --> 00:12:16,880 Speaker 4: not just about you, and so they've already had their own. 210 00:12:16,760 --> 00:12:18,240 Speaker 3: Rules and regulations in place. 211 00:12:18,800 --> 00:12:21,360 Speaker 4: A number of the countries that we are particularly close 212 00:12:21,400 --> 00:12:24,920 Speaker 4: with and compare ourselves with, if you think of Australia, 213 00:12:25,040 --> 00:12:28,920 Speaker 4: the UK, Canada, those sorts of countries they are have 214 00:12:29,040 --> 00:12:31,760 Speaker 4: been and are currently looking at how. 215 00:12:31,640 --> 00:12:35,200 Speaker 3: They regulate this information as well. So it's not just us. 216 00:12:35,240 --> 00:12:39,080 Speaker 4: All around the world privacy regulators are looking at the 217 00:12:39,080 --> 00:12:42,559 Speaker 4: issue of the increasing use of this technology and ensuring 218 00:12:43,280 --> 00:12:46,040 Speaker 4: that when it is used that trust and confidence and 219 00:12:46,080 --> 00:12:48,200 Speaker 4: people's privacy rights are not impacted by that. 220 00:12:48,720 --> 00:12:51,079 Speaker 2: It's funny you say that they were in catch up mode, 221 00:12:51,120 --> 00:12:54,359 Speaker 2: because when I read about this code, I thought, finally 222 00:12:54,760 --> 00:12:57,400 Speaker 2: New Zealand is getting ahead of the curve because we're 223 00:12:57,559 --> 00:13:01,240 Speaker 2: always talking about, especially on this podcast as well, when 224 00:13:01,280 --> 00:13:04,800 Speaker 2: it comes to AI or anything tech, really how far 225 00:13:04,920 --> 00:13:08,400 Speaker 2: behind we are, how far behind the laws are. For example, 226 00:13:08,440 --> 00:13:11,240 Speaker 2: you know, there are some laws that don't even really 227 00:13:11,520 --> 00:13:14,640 Speaker 2: understand that a phone is in our pocket these days, 228 00:13:14,880 --> 00:13:17,280 Speaker 2: you know what I mean. So it really does feel 229 00:13:17,360 --> 00:13:21,280 Speaker 2: like even for a lay person that we are getting 230 00:13:21,559 --> 00:13:23,439 Speaker 2: ahead of this. Are we that behind? 231 00:13:23,880 --> 00:13:27,400 Speaker 4: First that the Privacy Act itself is actually technology neutral, 232 00:13:27,520 --> 00:13:30,600 Speaker 4: it's not kind of like, you know, anti technology, and 233 00:13:30,679 --> 00:13:32,960 Speaker 4: you know, at the end of the day, we want 234 00:13:33,000 --> 00:13:36,440 Speaker 4: New Zealand to benefit from the use of innoventive technologies, 235 00:13:37,000 --> 00:13:40,840 Speaker 4: but what it's about is creating I guess guardrails for 236 00:13:40,880 --> 00:13:43,480 Speaker 4: how that technology is used, because that at the end 237 00:13:43,480 --> 00:13:46,920 Speaker 4: of the day, and doing privacy well is going to 238 00:13:46,920 --> 00:13:49,199 Speaker 4: be good for the individual, but it's also good for business. 239 00:13:49,679 --> 00:13:53,120 Speaker 4: One of the things we're increasingly seeing in overseas surveys, 240 00:13:53,800 --> 00:13:58,440 Speaker 4: and this reflects perhaps a younger, more digitally savvy group 241 00:13:58,480 --> 00:14:02,439 Speaker 4: of people growing up, is that if people are unhappy 242 00:14:02,440 --> 00:14:06,240 Speaker 4: about how that personal information is being managed by a company, 243 00:14:06,240 --> 00:14:09,760 Speaker 4: by an organization, they can quite easily pick up and 244 00:14:09,880 --> 00:14:14,839 Speaker 4: leave and go somewhere else and we see that happen 245 00:14:14,880 --> 00:14:18,360 Speaker 4: increasingly in New Zealand as well, and so businesses are 246 00:14:18,400 --> 00:14:20,160 Speaker 4: now becoming more and more aware of that. 247 00:14:20,320 --> 00:14:21,040 Speaker 3: And so. 248 00:14:22,640 --> 00:14:25,880 Speaker 4: As long as any new regulatory frameworks like this code 249 00:14:26,720 --> 00:14:30,280 Speaker 4: are practical for them to use that we provide as 250 00:14:30,320 --> 00:14:32,600 Speaker 4: we have lots of guidance about how to do it well, 251 00:14:33,600 --> 00:14:37,320 Speaker 4: they're accepting of that as a way to help ensure 252 00:14:37,400 --> 00:14:41,280 Speaker 4: that when they do use this new innovative technology that 253 00:14:41,360 --> 00:14:43,000 Speaker 4: it is, as I say, good for them as well 254 00:14:43,000 --> 00:14:44,040 Speaker 4: as good for the individual. 255 00:14:49,400 --> 00:14:51,840 Speaker 1: Another thing we can do to protect though, is never 256 00:14:51,920 --> 00:14:55,120 Speaker 1: rely on a biometric as a single factor of authentication. 257 00:14:55,760 --> 00:14:58,880 Speaker 1: It should be part of multi factor authentication. So that way, 258 00:14:59,280 --> 00:15:02,240 Speaker 1: even if my fingerprint does get compromised, well, I have 259 00:15:02,320 --> 00:15:06,240 Speaker 1: more fingers, But even if that were the case, I'm 260 00:15:06,280 --> 00:15:09,320 Speaker 1: still relying on more than just that alone. I'm relying 261 00:15:09,400 --> 00:15:12,360 Speaker 1: on a password, something I know, or something I have, 262 00:15:12,560 --> 00:15:17,640 Speaker 1: like a particular device. So with multi factoring authentication, we're 263 00:15:17,640 --> 00:15:22,040 Speaker 1: reducing that risk surface by spreading out the different security 264 00:15:22,080 --> 00:15:23,120 Speaker 1: mechanisms we're using. 265 00:15:25,640 --> 00:15:30,000 Speaker 2: And I note that businesses already using this biometric information 266 00:15:30,160 --> 00:15:34,320 Speaker 2: one way or another have until August next year. Is 267 00:15:34,320 --> 00:15:37,320 Speaker 2: that just logistics wise? Does it just take a while 268 00:15:37,440 --> 00:15:40,560 Speaker 2: to I guess, recalibrate the technology that they're using at 269 00:15:40,560 --> 00:15:40,960 Speaker 2: the moment. 270 00:15:41,280 --> 00:15:42,000 Speaker 3: That's right. 271 00:15:42,040 --> 00:15:45,200 Speaker 4: We wanted to ensure again from a practical point of view, 272 00:15:45,680 --> 00:15:49,200 Speaker 4: that any business that is already using biometric technology had 273 00:15:49,240 --> 00:15:52,600 Speaker 4: a period of time just to reassess these systems against 274 00:15:52,880 --> 00:15:55,960 Speaker 4: the requirements and the code, to seek any further advice 275 00:15:56,040 --> 00:15:59,440 Speaker 4: they needed to carry out, for example, and updated what 276 00:15:59,480 --> 00:16:03,440 Speaker 4: we call obviously impact assessment, to relook at the privacy 277 00:16:03,480 --> 00:16:06,440 Speaker 4: safeguards they've got in place, to think about whether they 278 00:16:06,520 --> 00:16:09,680 Speaker 4: might want to add in some more for example, to 279 00:16:09,800 --> 00:16:13,280 Speaker 4: ensure that they are consistent with the expectations that are 280 00:16:13,320 --> 00:16:14,520 Speaker 4: set out in the code. 281 00:16:14,880 --> 00:16:18,760 Speaker 2: And it's really incredible what biometric information we do carry. 282 00:16:18,840 --> 00:16:21,479 Speaker 2: I mean, you mentioned the iris scan and the fingerprint. 283 00:16:21,520 --> 00:16:24,200 Speaker 2: That's what people are kind of used to seeing, but 284 00:16:24,240 --> 00:16:28,520 Speaker 2: you've also got things like the way someone walks, the 285 00:16:28,560 --> 00:16:32,560 Speaker 2: way someone moves. That's you know, things that we may 286 00:16:32,680 --> 00:16:36,800 Speaker 2: not think of. Did you ever think when you first 287 00:16:36,880 --> 00:16:40,960 Speaker 2: became Privacy Commissioner or related into this space that you 288 00:16:41,000 --> 00:16:45,920 Speaker 2: would be speaking about people's iris scans, fingerprints and the 289 00:16:45,960 --> 00:16:48,400 Speaker 2: way they walk, talk and get excited when they see 290 00:16:48,400 --> 00:16:49,840 Speaker 2: a product or something. 291 00:16:51,040 --> 00:16:51,760 Speaker 3: Yes, I did. 292 00:16:52,160 --> 00:16:56,800 Speaker 4: And interestingly enough, we've been through quite consultative process in 293 00:16:56,840 --> 00:16:59,600 Speaker 4: developing this code. So it start actually a little while 294 00:16:59,600 --> 00:17:05,320 Speaker 4: ago now, a few years ago now, but increasingly both overseas. 295 00:17:05,359 --> 00:17:09,359 Speaker 4: But you see the sort of information used, and you 296 00:17:09,440 --> 00:17:13,120 Speaker 4: even of course can see it heralded in popular literature, 297 00:17:13,200 --> 00:17:16,480 Speaker 4: particularly say, for example, the sort of sci fi literature 298 00:17:16,560 --> 00:17:17,280 Speaker 4: you've talked about. 299 00:17:17,400 --> 00:17:18,639 Speaker 3: It is a reality. 300 00:17:19,480 --> 00:17:24,320 Speaker 4: New Zealand wants to benefit from and use digital innovation, 301 00:17:24,480 --> 00:17:26,040 Speaker 4: new technology. 302 00:17:25,760 --> 00:17:28,720 Speaker 3: And part of my role is with our. 303 00:17:29,080 --> 00:17:33,560 Speaker 4: Technology Neutral Privacy Act and our regulatory framework is ensuring 304 00:17:33,800 --> 00:17:36,399 Speaker 4: that new technology can be used in a way that 305 00:17:36,480 --> 00:17:41,359 Speaker 4: is safely used and is protective of people's privacy rights as. 306 00:17:41,200 --> 00:17:41,639 Speaker 3: It can be. 307 00:17:42,080 --> 00:17:47,679 Speaker 2: Thanks for joining us, Michael, you to thank you that 308 00:17:47,840 --> 00:17:51,040 Speaker 2: said for this episode of The Front Page. You can 309 00:17:51,080 --> 00:17:55,000 Speaker 2: read more about today's stories and extensive news coverage at 310 00:17:55,080 --> 00:17:59,480 Speaker 2: enzadherld dot co dot nz. The Front Page is produced 311 00:17:59,520 --> 00:18:03,200 Speaker 2: by Jay and Richard Martin, who is also our editor. 312 00:18:03,720 --> 00:18:08,080 Speaker 2: I'm Chelsea Daniels. Subscribe to the Front Page on iHeartRadio 313 00:18:08,240 --> 00:18:11,679 Speaker 2: or wherever you get your podcasts, and tune in tomorrow 314 00:18:11,800 --> 00:18:13,760 Speaker 2: for another look behind the headlines.