When dealing with biometric data,
greater security standards must be
implemented. Unlike passwords and
email addresses, once biometric
data is disclosed there is no going
back. You only have a limited
number of features (ten fingers, one
face, two eyes!) none on which
can be changed as easily as a
password. Any enhanced security
standards must flow through to your
contracts with third party suppliers.

Cloud hosting & Privacy
& Biometric Data – What
should the contract say?
Cloud hosting provides greater
processing power and the
storage capacity necessary when
using biometric data. So, what
do you need to think about for
those all-important information
security and privacy clauses?
At the outset, the contract
must be certain on who is
responsible for the collection,
use, storage and disclosure of
biometric data. Along with:
> I s the biometric data stored
in Australia? How, when and
where can the cloud provider
> >
> >
transfer the biometric data?
Offshore disclosure is fraught
with danger - it requires actual
consent from the owner of the
biometric data, and consideration
must be given to the applicable
privacy and data protection laws.

C onfirmation the party complies
with all applicable privacy and
data protection laws. Associated
indemnities should be sought
for any loss or damage arising
for breach including for any
penalties imposed by any
Information Commissioner.

T he information security
standards to be applied e.g.

ISO27001, ACSC’s Essential
Eight, Information Technology
Library (ITIL). Be aware of what
these standards require, not all
standards are created equal.

Comply does not equal certify.

Know what you are asking for.

T he controls and procedures
around access to the biometric
data, including circumstances
in which the cloud provider may
need to use the biometric data.

W hat happens in the event
of a breach, whether that be
an innocent disclosure, or the
cloud provider being hacked.

Any time you are dealing with
data, be it personal information,
biometric or not, you should know
and understand the type and nature
of the data being collected, what
laws apply to such data, and ensure
that your contracts with any third
parties adequately represent and
address the risk and liability of such.

Managing the contracts that deal
with technology can be challenging
and requires knowledge of both the
law and technology. Should you
have any particular concerns about
your technology contracts, please
contact us to see how we can help
you navigate this complex world.

Inspire December 2020
11 Melissa Wingard | Special Counsel
BA(Eng&Hist) LLB(Hons) GradDipLegPrac
GradDipAppFin&Inv MCyberSecOps
melissa.wingard@pof.com.au