Federal Privacy Commissioner Karen Curtis has approved an extension to the Privacy Act relating to biometrics use locally.
The new code comes into effect in September 2006. The draft code, first submitted to the commissioner in May 2004, was approved earlier this month with an advised section relating to the introduction of stronger guidelines in relation to employee records and individual privacy.
It is an extension of the 10 existing National Privacy Principles (NPP) and includes three new subsections relating to the use of biometrics.
The revamped code aims to protect personal information either provided or held by biometric systems; better enable identity authentication in relation to the Privacy Act and the NPP and push the use of biometrics as a privacy enhancing technology.
Terry Aulich, project manager for the Biometrics Institute, said the changes to the existing code directly relate to the NPP and builds directly on privacy issues relating to employees using biometric identification.
Aulich said the amendments would appease those concerned with how the Privacy Act relates to employee data.
"Quite frankly, you would be nuts to employ anyone and provide biometric tools if you do not design the systems to the biometrics privacy code and from the 1000 or so interviews we conducted when writing the code, privacy is one of the key factors in the acceptance of biometrics," Aulich said.
"Currently, one of the most important initiatives is the inclusion of employee records as an area where the Privacy Act, via this code becomes operative. Employee records excluded under the Privacy Act now state that if biometrics are used, whether for storage, access control or wherever, for whatever purpose, the records are covered by this code and therefore the Privacy Act.
"The second thing is a requirement under the code for people using biometrics to conduct a privacy impact assessment in all cases, as well as regular audits of the whole enterprise environment. The third addition is principle as we require an organization to commit to privacy protection."
Aulich said only those who subscribe to the code are actually bound by it, adding that the Biometrics Institute will publish those companies who subscribe to the code.
"Subscribing to the code will certainly be a differentiator in the marketplace for those who take their privacy seriously; the companies that subscribe to the code will be listed on our Web site so the information is easily accessible."
Curtis said the Office of the Privacy Commissioner will handle complaints directly in relation to organizations which default.