The Hong Kong Commissioner has published guidance (‘Guidance’) to assist data users in complying with Hong Kong’s privacy laws when processing biometric data, and takes a broader approach than previous guidance dealing with when and how biometric data may be handled by an organisation.

Although no distinction is drawn between personal data and sensitive personal data in Hong Kong’s data protection legislation, biometric data appears worthy of greater protection because of its sensitive nature. As a result, the Guidance outlines stricter standards expected of organisations when they handle both physiological and behavioural biometric data.

The Guidance confirms that biometric data should be considered as personal data, and that it should only be collected when necessary and not excessively.  To assess whether collection of biometric data is necessary, data users are encouraged to undertake a privacy impact assessment (‘PIA’). This PIA is meant to act as an aid in evaluating any proposal for processing biometric data, and the Guidance suggests questions to assist those making such a decision. Examples of such questions include whether the objective could be achieved without the use of biometric data, or whether the level of security sought to be obtained through the use of biometric data is required.  If the answers to those questions are “no,” the Guidance recommends that data users use alternative methods and not collect biometric data.

Where the use of biometric data is determined to be necessary by a data user, the Guidance recommends that the data user provide individuals whose biometric data will be collected with a free and informed choice, together with a full explanation as to why their biometric data is necessary, with individuals’ choices being respected.  The Guidance also recommends that the biometric data be held for the original purpose only, deleted once its use is no longer necessary, and that the data be kept accurate and secure.

Data users are advised to treat the Guidance as minimum standards or risk enforcement under Hong Kong’s Personal Data Ordinance.