WEBVTT - How new biometric privacy rules will change what businesses must disclose

0:00:05.880 --> 0:00:06.280
<v Speaker 1>Kyoda.

0:00:06.320 --> 0:00:09.400
<v Speaker 2>I'm Chelsea Daniels and this is the Front Page, a

0:00:09.520 --> 0:00:16.560
<v Speaker 2>daily podcast presented by the New Zealand Herald. New Zealand's

0:00:16.600 --> 0:00:21.239
<v Speaker 2>Privacy Commissioner has issued new rules around the automated use

0:00:21.360 --> 0:00:26.360
<v Speaker 2>of biometrics. Biometric processing is the use of tech like

0:00:26.400 --> 0:00:31.640
<v Speaker 2>a facial recognition to collect and process people's biometric information.

0:00:32.200 --> 0:00:34.760
<v Speaker 2>The code comes into force on the third of November

0:00:34.840 --> 0:00:39.479
<v Speaker 2>twenty twenty five today, but agencies already using it have

0:00:39.640 --> 0:00:43.080
<v Speaker 2>until the third of August next year to align themselves

0:00:43.120 --> 0:00:46.239
<v Speaker 2>with the new rules. Today on the Front Page, Privacy

0:00:46.240 --> 0:00:49.240
<v Speaker 2>Commissioner Michael Webster is with us to take us through

0:00:49.360 --> 0:00:52.840
<v Speaker 2>what all of this actually means and how we can

0:00:53.000 --> 0:01:01.240
<v Speaker 2>protect ourselves. First off, my well, You're probably asked this

0:01:01.360 --> 0:01:06.680
<v Speaker 2>a lot, but what exactly is biometric information?

0:01:07.240 --> 0:01:09.360
<v Speaker 3>Well, I guess that the simplest way to describe it

0:01:09.480 --> 0:01:16.600
<v Speaker 3>is each individual's physical and behavioral characteristics, personal.

0:01:16.280 --> 0:01:19.560
<v Speaker 4>Information about them and the ones I think most people

0:01:19.560 --> 0:01:25.160
<v Speaker 4>will be familiar with things like fingerprint scans, iris scanning,

0:01:25.640 --> 0:01:29.000
<v Speaker 4>and of course increasingly we've seen here in New Zealand

0:01:29.040 --> 0:01:32.560
<v Speaker 4>facial recognition technology or FRT. Those are the sorts of

0:01:33.080 --> 0:01:37.800
<v Speaker 4>biometric information processings that we have seen here in this.

0:01:37.720 --> 0:01:41.240
<v Speaker 2>Country, right, So instead of something that only happens in

0:01:41.280 --> 0:01:45.479
<v Speaker 2>a Tom Cruise movie, it's increasingly happening in real life.

0:01:45.480 --> 0:01:47.960
<v Speaker 2>Can you give us some examples, sure.

0:01:48.280 --> 0:01:50.200
<v Speaker 4>I guess two of the most common are there's a

0:01:50.280 --> 0:01:54.440
<v Speaker 4>number of workplaces, for example, where there are sensitive areas,

0:01:54.600 --> 0:01:58.559
<v Speaker 4>and some workplaces are now using fingerprint scanning for people

0:01:58.600 --> 0:02:01.400
<v Speaker 4>to be able to eat into those places. I think

0:02:01.440 --> 0:02:04.000
<v Speaker 4>many people will be already familiar with the use of

0:02:04.280 --> 0:02:08.120
<v Speaker 4>IRIS scanning to unlock IT programs or devices that sort

0:02:08.160 --> 0:02:11.080
<v Speaker 4>of thing. And of course in New Zealand will be

0:02:11.080 --> 0:02:14.919
<v Speaker 4>familiar with the recent trial that Foodstuffs Northilent did of

0:02:14.960 --> 0:02:19.720
<v Speaker 4>the use of FRT to address some serious harm retail

0:02:19.760 --> 0:02:21.200
<v Speaker 4>crime issues that they were having.

0:02:21.600 --> 0:02:25.839
<v Speaker 2>So what prompted the introduction of this new biometric code.

0:02:26.400 --> 0:02:29.720
<v Speaker 4>Well, we've been scanning both what's happening internationally and here

0:02:30.480 --> 0:02:36.200
<v Speaker 4>in New Zealand, and increasingly businesses other agencies are using

0:02:37.000 --> 0:02:42.280
<v Speaker 4>technological developments to either improve their customer service or to

0:02:42.639 --> 0:02:45.600
<v Speaker 4>deliver on their objectives. And so inevitably there's going to

0:02:45.639 --> 0:02:49.120
<v Speaker 4>be we think a greater use of BIOMESHP technologies by

0:02:49.240 --> 0:02:50.440
<v Speaker 4>organizations out there.

0:02:50.720 --> 0:02:53.640
<v Speaker 3>And we wanted to make sure that both in the

0:02:53.639 --> 0:02:54.280
<v Speaker 3>public and the.

0:02:54.200 --> 0:02:58.640
<v Speaker 4>Private sector, that this country was ready for that coming

0:02:58.760 --> 0:03:01.840
<v Speaker 4>wave of a bit of uses of this sort of technology.

0:03:02.120 --> 0:03:05.359
<v Speaker 2>Right, So I'm walking around the supermarket and obviously all

0:03:05.360 --> 0:03:08.040
<v Speaker 2>the cameras are catching me what I'm picking up, and

0:03:08.080 --> 0:03:10.480
<v Speaker 2>how I'm walking, and what I look like and everything.

0:03:10.639 --> 0:03:13.960
<v Speaker 2>What can the supermarket then now do with that information

0:03:14.480 --> 0:03:15.880
<v Speaker 2>now that there's a code in place.

0:03:16.760 --> 0:03:18.880
<v Speaker 4>Well, in the past, of course, you would have been

0:03:18.880 --> 0:03:21.480
<v Speaker 4>watched by a CCTV which would have just been recording you,

0:03:21.840 --> 0:03:23.800
<v Speaker 4>and then a person would have been looking at that

0:03:23.880 --> 0:03:26.799
<v Speaker 4>to see what you're up to. Now, for example, if

0:03:26.840 --> 0:03:30.959
<v Speaker 4>someone has threatened a staff member or engaged in assault

0:03:31.720 --> 0:03:36.680
<v Speaker 4>at for example, a supermarket or a hardware store, they

0:03:37.240 --> 0:03:40.640
<v Speaker 4>might go onto what's called a watch list, a group

0:03:40.680 --> 0:03:43.000
<v Speaker 4>of people who, for example, have been trespassed and are

0:03:43.000 --> 0:03:45.240
<v Speaker 4>not allowed to back in. And so when you come

0:03:45.280 --> 0:03:49.080
<v Speaker 4>in again, what the biometric technology can do through the

0:03:49.160 --> 0:03:53.400
<v Speaker 4>camera system is match your face with the face that's

0:03:53.440 --> 0:03:56.200
<v Speaker 4>on the watch list. So that kind of I guess

0:03:56.360 --> 0:04:02.480
<v Speaker 4>verification process there, identification process, and then the store because

0:04:02.480 --> 0:04:04.440
<v Speaker 4>there always needs to be human oversight the stalk and

0:04:04.480 --> 0:04:05.800
<v Speaker 4>then decide what to do about that.

0:04:05.840 --> 0:04:09.520
<v Speaker 3>Whether to call the police to approach you directly. Those

0:04:09.520 --> 0:04:10.839
<v Speaker 3>are the choices open to them.

0:04:11.200 --> 0:04:13.320
<v Speaker 2>Right, So if I go back in wearing a fake

0:04:13.440 --> 0:04:18.040
<v Speaker 2>mustache and a wig, and will it pick me up?

0:04:18.120 --> 0:04:18.800
<v Speaker 3>Is it that good?

0:04:19.880 --> 0:04:25.480
<v Speaker 4>Some models of facial recognition technology, some biometric technology is

0:04:25.560 --> 0:04:29.760
<v Speaker 4>that good? It comes back to a question about what

0:04:29.839 --> 0:04:33.800
<v Speaker 4>level do you set the accuracy reading? And one of

0:04:33.839 --> 0:04:37.000
<v Speaker 4>the discussions we've had with New zeal organizations is ensuring

0:04:37.800 --> 0:04:41.080
<v Speaker 4>that you don't leave yourself at the risk of misidentification

0:04:41.760 --> 0:04:44.240
<v Speaker 4>or incorrectly accusing somebody of being on a watch list

0:04:44.279 --> 0:04:47.920
<v Speaker 4>when they're not, because that is incredibly harmful and damaging

0:04:47.920 --> 0:04:50.720
<v Speaker 4>and upsetting for individuals. And so you want to be

0:04:50.760 --> 0:04:54.840
<v Speaker 4>able to set the match I guess criteria quite high,

0:04:55.040 --> 0:04:56.520
<v Speaker 4>and you want to be able to use a very

0:04:56.560 --> 0:05:09.120
<v Speaker 4>reliable and good biometric technology product software that sort of thing. Unfortunately,

0:05:09.520 --> 0:05:12.080
<v Speaker 4>even if you could make it through every other security measure,

0:05:12.600 --> 0:05:15.240
<v Speaker 4>you won't be the last one. That's because it's protected

0:05:15.240 --> 0:05:18.000
<v Speaker 4>by gait analysis, the step beyond facial recognition.

0:05:18.640 --> 0:05:22.080
<v Speaker 1>These cameras actually know how the agent walks, how he talks,

0:05:22.080 --> 0:05:24.719
<v Speaker 1>how he moves, write down to facial tics.

0:05:25.400 --> 0:05:27.240
<v Speaker 3>So what you're saying is no mask can be to.

0:05:29.760 --> 0:05:30.040
<v Speaker 1>A right.

0:05:30.200 --> 0:05:34.440
<v Speaker 2>How does this code differ from privacy laws we already

0:05:34.480 --> 0:05:35.120
<v Speaker 2>have in place.

0:05:35.600 --> 0:05:38.120
<v Speaker 4>Sure, so we already have here in New Zealand our

0:05:38.160 --> 0:05:42.480
<v Speaker 4>own New Zealand Privacy Act in biometric technology, biometric information,

0:05:42.600 --> 0:05:46.599
<v Speaker 4>like all personal information, was already gaverned under the Privacy Act.

0:05:46.839 --> 0:05:50.640
<v Speaker 4>What this does though, is I guess clarify and strength

0:05:50.680 --> 0:05:54.720
<v Speaker 4>and some of the requirements on organizations thinking about using

0:05:54.760 --> 0:05:55.599
<v Speaker 4>this technology.

0:05:56.240 --> 0:05:59.320
<v Speaker 3>So now, for example, they need to go through a

0:05:59.360 --> 0:06:00.560
<v Speaker 3>deliberate process of.

0:06:00.560 --> 0:06:06.040
<v Speaker 4>Considering whether they have privacy safeguards in place. For example,

0:06:06.160 --> 0:06:11.520
<v Speaker 4>with facial recognition technology, the Footsteps Northland trial had a

0:06:11.560 --> 0:06:14.400
<v Speaker 4>system of immediate deletion of non matches, so they didn't

0:06:14.400 --> 0:06:17.599
<v Speaker 4>build up this giant database of Kiley spaces if you

0:06:17.600 --> 0:06:19.800
<v Speaker 4>see what I mean, they would immediately deleted. That would

0:06:19.800 --> 0:06:24.200
<v Speaker 4>be a privacy safeguard. We expect under the code greater transparency.

0:06:24.800 --> 0:06:28.720
<v Speaker 4>So if you go into a business that's using biometric technology,

0:06:28.720 --> 0:06:32.360
<v Speaker 4>we would expect there to be very visible signage, whether

0:06:32.360 --> 0:06:35.840
<v Speaker 4>it's from employees or customers, saying that it's in use.

0:06:36.560 --> 0:06:38.240
<v Speaker 4>And we also want people to go through a very

0:06:38.279 --> 0:06:43.039
<v Speaker 4>careful process of working out whether the proposed used is

0:06:43.080 --> 0:06:47.080
<v Speaker 4>actually proportionate to the problem or the gain that you're

0:06:47.080 --> 0:06:52.640
<v Speaker 4>looking to achieve. So will the privacy risks be outweighed

0:06:52.680 --> 0:06:56.920
<v Speaker 4>by the benefits from using that technology? Is it basically necessary?

0:06:57.520 --> 0:07:00.560
<v Speaker 4>Is it justified? Is it effective for your to use?

0:07:00.760 --> 0:07:01.760
<v Speaker 4>Is it proportionate?

0:07:02.279 --> 0:07:04.880
<v Speaker 2>I'm going to play Devil's advocate here because the first

0:07:04.880 --> 0:07:07.120
<v Speaker 2>thing that comes into my mind with this kind of

0:07:07.120 --> 0:07:11.880
<v Speaker 2>technology is brands looking at customers and seeing who picks

0:07:11.960 --> 0:07:16.119
<v Speaker 2>up their product. Who, you know, what their customer base

0:07:16.200 --> 0:07:20.560
<v Speaker 2>would be. So would this code protect your biometric information

0:07:20.680 --> 0:07:23.640
<v Speaker 2>from being used, say via marketing.

0:07:24.240 --> 0:07:27.520
<v Speaker 4>So there's a couple of things. That one is again

0:07:27.560 --> 0:07:30.560
<v Speaker 4>we should always remember that people have always been watched

0:07:30.600 --> 0:07:33.640
<v Speaker 4>while they're in stores with CCTV. That has always been

0:07:33.760 --> 0:07:36.080
<v Speaker 4>a feature as well as the people in the store

0:07:36.120 --> 0:07:38.680
<v Speaker 4>as well. One of the things we've done with this

0:07:38.760 --> 0:07:42.040
<v Speaker 4>code is that we've said there needs to be some

0:07:42.080 --> 0:07:46.160
<v Speaker 4>particular limits on its use, and one of those limits

0:07:46.240 --> 0:07:51.000
<v Speaker 4>is around what we would call inferential biometrics, such as

0:07:51.480 --> 0:07:56.480
<v Speaker 4>I guess, trying to read people's emotions or their mental state. So,

0:07:56.600 --> 0:08:00.760
<v Speaker 4>for example, have they appeared to be more excited when

0:08:00.800 --> 0:08:02.920
<v Speaker 4>they walk past the particular item of clothing then when

0:08:02.920 --> 0:08:05.720
<v Speaker 4>they walk past something else, those sorts of things, and

0:08:05.760 --> 0:08:09.280
<v Speaker 4>we've said, actually, unless there are particular exceptions in place,

0:08:09.840 --> 0:08:13.160
<v Speaker 4>we don't think biometric technology should be used for those purposes.

0:08:13.440 --> 0:08:17.679
<v Speaker 2>How does the code address particularly sensitive uses I suppose,

0:08:17.720 --> 0:08:21.760
<v Speaker 2>like profiling based on ethnicity or health even I.

0:08:21.760 --> 0:08:23.600
<v Speaker 4>Guess there's a couple of issues there that I mean.

0:08:23.600 --> 0:08:26.800
<v Speaker 4>The first is that there is always a risk with

0:08:26.920 --> 0:08:31.600
<v Speaker 4>the use of biometric technology around bias and profiling, and

0:08:31.640 --> 0:08:32.920
<v Speaker 4>that is why, for.

0:08:32.840 --> 0:08:33.760
<v Speaker 3>Example, to come.

0:08:33.640 --> 0:08:36.800
<v Speaker 4>Back to that earlier the ashue I talked about, you

0:08:36.840 --> 0:08:39.600
<v Speaker 4>need to be able to set the match criteria quite

0:08:39.600 --> 0:08:42.480
<v Speaker 4>a higher level. A lot of the biometric tools that

0:08:42.520 --> 0:08:46.679
<v Speaker 4>have been developed overseas aren't representative or reflectives of New

0:08:46.720 --> 0:08:50.520
<v Speaker 4>Zealand's population. They're not very good at recognizing people with

0:08:50.679 --> 0:08:53.360
<v Speaker 4>darker skin types as well, for example, And so you

0:08:53.440 --> 0:08:57.360
<v Speaker 4>need to be able to assure your customers because at

0:08:57.360 --> 0:08:59.080
<v Speaker 4>the end of the day, you want the trust and

0:08:59.080 --> 0:09:01.599
<v Speaker 4>confidence of your customtomers. You need to be able to

0:09:01.640 --> 0:09:06.199
<v Speaker 4>assure them that those that are matched are matched accurately.

0:09:06.760 --> 0:09:10.200
<v Speaker 3>And you also need to have pretty strict criteria if.

0:09:10.080 --> 0:09:13.640
<v Speaker 4>You're using it for say retail crime reasons around who

0:09:13.760 --> 0:09:15.400
<v Speaker 4>ends up on a watch list and why they end

0:09:15.480 --> 0:09:17.480
<v Speaker 4>up on a watch list. You've got to watch out

0:09:17.840 --> 0:09:20.680
<v Speaker 4>for any human bias coming into how the systems are.

0:09:20.640 --> 0:09:25.720
<v Speaker 2>Used, how will compliance be monitored or even enforced, and

0:09:25.760 --> 0:09:28.880
<v Speaker 2>what penalties might there be in place once the code

0:09:29.280 --> 0:09:29.840
<v Speaker 2>is enacted.

0:09:30.360 --> 0:09:34.400
<v Speaker 4>So the Code includes the same requirements and obligations on

0:09:34.840 --> 0:09:38.800
<v Speaker 4>businesses and organizations that exist in the current Privacy Act

0:09:39.520 --> 0:09:42.160
<v Speaker 4>at the moment. For example, if you feel that your

0:09:42.400 --> 0:09:46.360
<v Speaker 4>privacy rights have been intruded on or you've been treated

0:09:46.400 --> 0:09:50.040
<v Speaker 4>unfairly in terms of the management and protection of your

0:09:50.080 --> 0:09:53.000
<v Speaker 4>personal information, what we say is that you should first

0:09:53.000 --> 0:09:56.520
<v Speaker 4>approach the organization concerned and if you can't resolve your

0:09:56.559 --> 0:09:59.440
<v Speaker 4>concerns with them, you can and this is the same

0:09:59.520 --> 0:10:02.400
<v Speaker 4>under the code as well. You can complain to our

0:10:02.440 --> 0:10:06.360
<v Speaker 4>office and if we feel that your complaint has merit

0:10:06.360 --> 0:10:10.120
<v Speaker 4>in it, we will investigate further. We also have a

0:10:10.200 --> 0:10:13.360
<v Speaker 4>compliance and enforcement team and one of the roles that

0:10:13.400 --> 0:10:17.400
<v Speaker 4>they carry out is just generally doing proactive schemes across

0:10:17.880 --> 0:10:18.600
<v Speaker 4>what's going on.

0:10:18.600 --> 0:10:19.319
<v Speaker 3>In New Zealand.

0:10:20.080 --> 0:10:23.320
<v Speaker 4>One of the things about New Zealand is that they're

0:10:23.360 --> 0:10:25.720
<v Speaker 4>not shy these days about complaining and so if we

0:10:25.760 --> 0:10:28.440
<v Speaker 4>see for example, that there's an uptick and media stories

0:10:28.960 --> 0:10:32.800
<v Speaker 4>about a particular organization and how it's used. In biometric technology,

0:10:33.320 --> 0:10:35.040
<v Speaker 4>we have the right and the ability to go and

0:10:35.240 --> 0:10:36.120
<v Speaker 4>see what's going on.

0:10:36.920 --> 0:10:41.120
<v Speaker 2>What rights do individuals have regarding their biometric information?

0:10:42.080 --> 0:10:44.920
<v Speaker 4>Again, individuals have the same rights as they have under

0:10:44.960 --> 0:10:47.880
<v Speaker 4>the privacy X. So, for example, you have the right

0:10:47.920 --> 0:10:51.440
<v Speaker 4>for your information to be held securely. We don't want

0:10:52.000 --> 0:10:55.960
<v Speaker 4>people building up databases of personal information and then that

0:10:56.040 --> 0:10:58.959
<v Speaker 4>information being at risk from a cyber attack.

0:10:59.360 --> 0:11:03.840
<v Speaker 3>And I guess the key point here is that, for.

0:11:03.760 --> 0:11:09.480
<v Speaker 4>Example, I had my driver's license stolen through a cyber attack,

0:11:10.200 --> 0:11:12.120
<v Speaker 4>I can go and get a new driver's license, right,

0:11:12.160 --> 0:11:13.839
<v Speaker 4>I can get a new driver's license number.

0:11:13.960 --> 0:11:17.280
<v Speaker 3>That's okay. If I have my fingerprints stolen, or my

0:11:17.400 --> 0:11:20.560
<v Speaker 3>iris akain stolen, or my face stolen through a cyber attack,

0:11:21.200 --> 0:11:23.679
<v Speaker 3>that's not just information about me, that is me. If

0:11:23.679 --> 0:11:26.800
<v Speaker 3>you know what I mean, and you can't replace that,

0:11:26.960 --> 0:11:27.440
<v Speaker 3>it's gone.

0:11:27.640 --> 0:11:30.959
<v Speaker 4>It's out there, probably being sold on the dark web.

0:11:31.360 --> 0:11:34.240
<v Speaker 4>So individuals need to know and have the right to

0:11:34.280 --> 0:11:38.640
<v Speaker 4>head information looked at as securely. Information that has held

0:11:38.679 --> 0:11:40.680
<v Speaker 4>you also have a right to access as well. You

0:11:40.720 --> 0:11:44.120
<v Speaker 4>can ask organizations for the information they hold about you.

0:11:44.520 --> 0:11:47.200
<v Speaker 2>And you said that you looked internationally at what other

0:11:47.240 --> 0:11:49.960
<v Speaker 2>countries have been doing around these kind of codes and

0:11:50.000 --> 0:11:53.720
<v Speaker 2>this information. What kind of lessons did you guys learn,

0:11:53.960 --> 0:11:56.760
<v Speaker 2>either good or bad from what others are doing elsewhere.

0:11:57.559 --> 0:11:59.360
<v Speaker 4>Well, we're actually in a little bit of a catch

0:11:59.400 --> 0:12:02.600
<v Speaker 4>up mode here with this code. Other countries have for

0:12:02.679 --> 0:12:08.480
<v Speaker 4>quite a while now treated biometric information as sensitive personal

0:12:08.559 --> 0:12:11.520
<v Speaker 4>information because of its inherent nature that it is you,

0:12:12.360 --> 0:12:16.880
<v Speaker 4>not just about you, and so they've already had their own.

0:12:16.760 --> 0:12:18.240
<v Speaker 3>Rules and regulations in place.

0:12:18.800 --> 0:12:21.360
<v Speaker 4>A number of the countries that we are particularly close

0:12:21.400 --> 0:12:24.920
<v Speaker 4>with and compare ourselves with, if you think of Australia,

0:12:25.040 --> 0:12:28.920
<v Speaker 4>the UK, Canada, those sorts of countries they are have

0:12:29.040 --> 0:12:31.760
<v Speaker 4>been and are currently looking at how.

0:12:31.640 --> 0:12:35.200
<v Speaker 3>They regulate this information as well. So it's not just us.

0:12:35.240 --> 0:12:39.080
<v Speaker 4>All around the world privacy regulators are looking at the

0:12:39.080 --> 0:12:42.559
<v Speaker 4>issue of the increasing use of this technology and ensuring

0:12:43.280 --> 0:12:46.040
<v Speaker 4>that when it is used that trust and confidence and

0:12:46.080 --> 0:12:48.200
<v Speaker 4>people's privacy rights are not impacted by that.

0:12:48.720 --> 0:12:51.079
<v Speaker 2>It's funny you say that they were in catch up mode,

0:12:51.120 --> 0:12:54.359
<v Speaker 2>because when I read about this code, I thought, finally

0:12:54.760 --> 0:12:57.400
<v Speaker 2>New Zealand is getting ahead of the curve because we're

0:12:57.559 --> 0:13:01.240
<v Speaker 2>always talking about, especially on this podcast as well, when

0:13:01.280 --> 0:13:04.800
<v Speaker 2>it comes to AI or anything tech, really how far

0:13:04.920 --> 0:13:08.400
<v Speaker 2>behind we are, how far behind the laws are. For example,

0:13:08.440 --> 0:13:11.240
<v Speaker 2>you know, there are some laws that don't even really

0:13:11.520 --> 0:13:14.640
<v Speaker 2>understand that a phone is in our pocket these days,

0:13:14.880 --> 0:13:17.280
<v Speaker 2>you know what I mean. So it really does feel

0:13:17.360 --> 0:13:21.280
<v Speaker 2>like even for a lay person that we are getting

0:13:21.559 --> 0:13:23.439
<v Speaker 2>ahead of this. Are we that behind?

0:13:23.880 --> 0:13:27.400
<v Speaker 4>First that the Privacy Act itself is actually technology neutral,

0:13:27.520 --> 0:13:30.600
<v Speaker 4>it's not kind of like, you know, anti technology, and

0:13:30.679 --> 0:13:32.960
<v Speaker 4>you know, at the end of the day, we want

0:13:33.000 --> 0:13:36.440
<v Speaker 4>New Zealand to benefit from the use of innoventive technologies,

0:13:37.000 --> 0:13:40.840
<v Speaker 4>but what it's about is creating I guess guardrails for

0:13:40.880 --> 0:13:43.480
<v Speaker 4>how that technology is used, because that at the end

0:13:43.480 --> 0:13:46.920
<v Speaker 4>of the day, and doing privacy well is going to

0:13:46.920 --> 0:13:49.199
<v Speaker 4>be good for the individual, but it's also good for business.

0:13:49.679 --> 0:13:53.120
<v Speaker 4>One of the things we're increasingly seeing in overseas surveys,

0:13:53.800 --> 0:13:58.440
<v Speaker 4>and this reflects perhaps a younger, more digitally savvy group

0:13:58.480 --> 0:14:02.439
<v Speaker 4>of people growing up, is that if people are unhappy

0:14:02.440 --> 0:14:06.240
<v Speaker 4>about how that personal information is being managed by a company,

0:14:06.240 --> 0:14:09.760
<v Speaker 4>by an organization, they can quite easily pick up and

0:14:09.880 --> 0:14:14.839
<v Speaker 4>leave and go somewhere else and we see that happen

0:14:14.880 --> 0:14:18.360
<v Speaker 4>increasingly in New Zealand as well, and so businesses are

0:14:18.400 --> 0:14:20.160
<v Speaker 4>now becoming more and more aware of that.

0:14:20.320 --> 0:14:21.040
<v Speaker 3>And so.

0:14:22.640 --> 0:14:25.880
<v Speaker 4>As long as any new regulatory frameworks like this code

0:14:26.720 --> 0:14:30.280
<v Speaker 4>are practical for them to use that we provide as

0:14:30.320 --> 0:14:32.600
<v Speaker 4>we have lots of guidance about how to do it well,

0:14:33.600 --> 0:14:37.320
<v Speaker 4>they're accepting of that as a way to help ensure

0:14:37.400 --> 0:14:41.280
<v Speaker 4>that when they do use this new innovative technology that

0:14:41.360 --> 0:14:43.000
<v Speaker 4>it is, as I say, good for them as well

0:14:43.000 --> 0:14:44.040
<v Speaker 4>as good for the individual.

0:14:49.400 --> 0:14:51.840
<v Speaker 1>Another thing we can do to protect though, is never

0:14:51.920 --> 0:14:55.120
<v Speaker 1>rely on a biometric as a single factor of authentication.

0:14:55.760 --> 0:14:58.880
<v Speaker 1>It should be part of multi factor authentication. So that way,

0:14:59.280 --> 0:15:02.240
<v Speaker 1>even if my fingerprint does get compromised, well, I have

0:15:02.320 --> 0:15:06.240
<v Speaker 1>more fingers, But even if that were the case, I'm

0:15:06.280 --> 0:15:09.320
<v Speaker 1>still relying on more than just that alone. I'm relying

0:15:09.400 --> 0:15:12.360
<v Speaker 1>on a password, something I know, or something I have,

0:15:12.560 --> 0:15:17.640
<v Speaker 1>like a particular device. So with multi factoring authentication, we're

0:15:17.640 --> 0:15:22.040
<v Speaker 1>reducing that risk surface by spreading out the different security

0:15:22.080 --> 0:15:23.120
<v Speaker 1>mechanisms we're using.

0:15:25.640 --> 0:15:30.000
<v Speaker 2>And I note that businesses already using this biometric information

0:15:30.160 --> 0:15:34.320
<v Speaker 2>one way or another have until August next year. Is

0:15:34.320 --> 0:15:37.320
<v Speaker 2>that just logistics wise? Does it just take a while

0:15:37.440 --> 0:15:40.560
<v Speaker 2>to I guess, recalibrate the technology that they're using at

0:15:40.560 --> 0:15:40.960
<v Speaker 2>the moment.

0:15:41.280 --> 0:15:42.000
<v Speaker 3>That's right.

0:15:42.040 --> 0:15:45.200
<v Speaker 4>We wanted to ensure again from a practical point of view,

0:15:45.680 --> 0:15:49.200
<v Speaker 4>that any business that is already using biometric technology had

0:15:49.240 --> 0:15:52.600
<v Speaker 4>a period of time just to reassess these systems against

0:15:52.880 --> 0:15:55.960
<v Speaker 4>the requirements and the code, to seek any further advice

0:15:56.040 --> 0:15:59.440
<v Speaker 4>they needed to carry out, for example, and updated what

0:15:59.480 --> 0:16:03.440
<v Speaker 4>we call obviously impact assessment, to relook at the privacy

0:16:03.480 --> 0:16:06.440
<v Speaker 4>safeguards they've got in place, to think about whether they

0:16:06.520 --> 0:16:09.680
<v Speaker 4>might want to add in some more for example, to

0:16:09.800 --> 0:16:13.280
<v Speaker 4>ensure that they are consistent with the expectations that are

0:16:13.320 --> 0:16:14.520
<v Speaker 4>set out in the code.

0:16:14.880 --> 0:16:18.760
<v Speaker 2>And it's really incredible what biometric information we do carry.

0:16:18.840 --> 0:16:21.479
<v Speaker 2>I mean, you mentioned the iris scan and the fingerprint.

0:16:21.520 --> 0:16:24.200
<v Speaker 2>That's what people are kind of used to seeing, but

0:16:24.240 --> 0:16:28.520
<v Speaker 2>you've also got things like the way someone walks, the

0:16:28.560 --> 0:16:32.560
<v Speaker 2>way someone moves. That's you know, things that we may

0:16:32.680 --> 0:16:36.800
<v Speaker 2>not think of. Did you ever think when you first

0:16:36.880 --> 0:16:40.960
<v Speaker 2>became Privacy Commissioner or related into this space that you

0:16:41.000 --> 0:16:45.920
<v Speaker 2>would be speaking about people's iris scans, fingerprints and the

0:16:45.960 --> 0:16:48.400
<v Speaker 2>way they walk, talk and get excited when they see

0:16:48.400 --> 0:16:49.840
<v Speaker 2>a product or something.

0:16:51.040 --> 0:16:51.760
<v Speaker 3>Yes, I did.

0:16:52.160 --> 0:16:56.800
<v Speaker 4>And interestingly enough, we've been through quite consultative process in

0:16:56.840 --> 0:16:59.600
<v Speaker 4>developing this code. So it start actually a little while

0:16:59.600 --> 0:17:05.320
<v Speaker 4>ago now, a few years ago now, but increasingly both overseas.

0:17:05.359 --> 0:17:09.359
<v Speaker 4>But you see the sort of information used, and you

0:17:09.440 --> 0:17:13.120
<v Speaker 4>even of course can see it heralded in popular literature,

0:17:13.200 --> 0:17:16.480
<v Speaker 4>particularly say, for example, the sort of sci fi literature

0:17:16.560 --> 0:17:17.280
<v Speaker 4>you've talked about.

0:17:17.400 --> 0:17:18.639
<v Speaker 3>It is a reality.

0:17:19.480 --> 0:17:24.320
<v Speaker 4>New Zealand wants to benefit from and use digital innovation,

0:17:24.480 --> 0:17:26.040
<v Speaker 4>new technology.

0:17:25.760 --> 0:17:28.720
<v Speaker 3>And part of my role is with our.

0:17:29.080 --> 0:17:33.560
<v Speaker 4>Technology Neutral Privacy Act and our regulatory framework is ensuring

0:17:33.800 --> 0:17:36.399
<v Speaker 4>that new technology can be used in a way that

0:17:36.480 --> 0:17:41.359
<v Speaker 4>is safely used and is protective of people's privacy rights as.

0:17:41.200 --> 0:17:41.639
<v Speaker 3>It can be.

0:17:42.080 --> 0:17:47.679
<v Speaker 2>Thanks for joining us, Michael, you to thank you that

0:17:47.840 --> 0:17:51.040
<v Speaker 2>said for this episode of The Front Page. You can

0:17:51.080 --> 0:17:55.000
<v Speaker 2>read more about today's stories and extensive news coverage at

0:17:55.080 --> 0:17:59.480
<v Speaker 2>enzadherld dot co dot nz. The Front Page is produced

0:17:59.520 --> 0:18:03.200
<v Speaker 2>by Jay and Richard Martin, who is also our editor.

0:18:03.720 --> 0:18:08.080
<v Speaker 2>I'm Chelsea Daniels. Subscribe to the Front Page on iHeartRadio

0:18:08.240 --> 0:18:11.679
<v Speaker 2>or wherever you get your podcasts, and tune in tomorrow

0:18:11.800 --> 0:18:13.760
<v Speaker 2>for another look behind the headlines.