Eye on Privacy Compliance: The New Rules Governing the use of Biometric Processes

Male with eye scanning over face
Ryan McMaster
Privacy, Topical issues

What the Biometric Processing Privacy Code Means for Your Business

As of 3 November 2025, the new rules regulating the use of biometric processes in New Zealand (the Biometric Processing Privacy Code 2025 (the Code)) have come into force. The Code will apply to any new collection and use of biometric information however, organisations/agencies that have already been using biometric processes prior to 3 November 2025 will have until 3 August 2026 to align those processes and policies with the Code.

The Office of the Privacy Commissioner has released guidance on the practical application of the Code which is designed to assist organisations in collecting and utilising biometric information as part of their business practices.

Note that if your organisation utilises a third-party provider of biometric processing services, your organisation will still be subject to, and need to comply with, the Code. Common examples include the use of some workplace sign in systems and AML identity verification platforms.

A summary of the key points to be aware of is outlined below.

What is biometric information?

Biometric information is any information that relates to a person’s physical features (such as face, fingerprints, eyes or voice) or typical bodily movements (such as gestures, how you walk, type or speak, heartbeat or eye movements).

What are biometric processes?

At a high-level, biometric processing involves utilising biometric information to verify, identify or categorise a person via an automated system. Common examples of where an organisation may utilise these processes include:

  • using facial recognition technology to identify a person entering their business;
  • controlling access to devices or physical spaces;
  • verifying a person’s identity by comparing their photo identification to another photo of that person (whether already stored in the system or captured at the same time as verification).

How does the Code work in the context of the Privacy Act 2020?

As biometric information is information about an identifiable individual, it is “personal information” for the purposes of the Privacy Act 2020 (Privacy Act). The Code works in conjunction with the Privacy Act 2020 by modifying or otherwise applying the corresponding Information Privacy Principles from the Privacy Act specifically for biometric information.

The Code contains 13 Rules that organisations must comply with. Where the Code does not apply to certain activities or information, the Privacy Act still applies. For example, the Privacy Act applies to:

  • any completely manual uses of biometric information, and
  • the results of biometric processing.

The Code also does not generally apply to biometric information that is also health information subject to the Health Information Privacy Code.

For clarity, the Code does not change the complaints process set out in the Privacy Act.

Complying with the Code

The Code aims to regulate the use of biometric information by creating a framework that ensures biometric information is collected, used and stored in a manner that is lawful, transparent and proportionate.

As noted above, the Code is made up of 13 privacy rules. From a compliance perspective, Rules 1, 3 and 10 are particularly important, as they introduce additional specific compliance requirements relating to the purpose of the proposed use of biometric processes, the necessary notification of the use of biometric processes, and the use / limits of biometric processes.

Purpose

Rule 1 of the Code requires any organisation collecting biometric information to be used in a biometric process to have a lawful purpose directly connected to a function / activity of the organisation and that the collection be necessary for achieving that purpose.

These standards closely mirror those found in Information Privacy Principle 1 and in practice, are likely to be assessed and complied with in similar ways. However, at a minimum, agencies should ensure that they can clearly demonstrate the causal connection between the collection/use and the stated purpose.

Importantly, Rule 1 of the Code introduces a new standard of proportionality. This means that organisations must not only ensure their purpose is lawful and necessary but also consider whether the benefit obtained from using biometric processing is proportionate to the privacy impact on the individuals concerned. The Office of the Privacy Commissioner has emphasised that a proportionality assessment will need to identify and address cultural impacts and effects of biometric processes, including:

    • cultural perspectives (e.g. tikanga Māori, Māori data sovereignty, te Tiriti o Waitangi and He Whakaputanga o te Rangatiratanga o Nu Tireni) that affect how Māori view or are impacted by biometric processing; and
    • any different impact the biometric processing has on Māori, for example discrimination against Māori due to bias in the biometric system (e.g. bias leads to adverse decisions against Māori individuals at a higher rate than non-Māori).

In short: When collecting biometric information, ensure the purpose is lawful, necessary, and directly connected to your organisation’s activities. Assess whether the benefits of biometric processing are proportionate to its privacy impacts, and specifically consider Māori cultural perspectives, data sovereignty, and any potential bias or discrimination.

Consultation / Notification

Rule 3 of the Code introduces specific requirements for notifying individuals of the fact that biometric information is being collected and processed, which extend beyond the standard requirements in the Privacy Act 2020. An organisation has the responsibility of consulting and / or notifying any individuals who may be affected by the implementation of a biometric process.

An organisation must take all reasonable steps to ensure individuals are made aware of:

    • What biometric information is being collected and used;
    • The purpose for the collection and use of the biometric information;
    • How long the biometric will be stored / used;
    • If there are any alternative options available that have less privacy risks;
    • The intended recipients of the biometric information and / or processing results;
    • Which organisation is collecting and storing the biometric information and / or processing results;
    • How they can make a complaint about the processing of their biometric information (including the right to complain to the Privacy Commissioner);
    • If the organisations’ proportionality assessment (under Rule 1) is available publicly or upon request, and how an individual can access this information; and
    • If the collection and processing of their biometric information is subject to a trial and the length of said trial.

In an employment context, prior to the introduction of any biometric processes, an organisation has the duty to consult with its employees, contractors, and others that may be affected by the introduction of a biometric process. During this consultation, the organisation should:

    • consider who will be impacted by the biometric process and whether it can consult with these people on an individual basis;
    • discuss and receive advice on the intended use of the biometric process from experienced persons with technical, cultural, or legal expertise;
    • consider whether appropriate alternatives exist; and
    • be open to receiving, considering and implementing feedback from any affected individuals.

In short: When implementing a biometric process, notify and consult all affected individuals, including employees and contractors, before collection begins. Make your proportionality assessment accessible on request, disclose if the process is a trial, and actively seek and consider feedback.

Use / Limits

Rule 10 governs how agencies may use biometric information once collected. Generally, and similar to Information Privacy Principle 10, biometric information may only be used for the purpose for which it was collected. If an organisation wishes to use it for a second purpose, an exception must apply. Those exceptions include (but are not limited to) where the individual authorises the use of the information for the new purpose, where the new purpose is directly related to the original purpose and/or where the way the information will be used will not identify the individual.

The Code also imposes additional restrictions on the use of biometric information that would involve categorising individuals by certain sensitive attributes.

Therefore, care must be taken when biometric information is processed to:

    • obtain, generate or infer health information about a person.
    • infer a person’s emotion, mood, personality trait, mental state or intention.
    • categorise someone based on any of the protected grounds under the Human Rights Act 1993 (for instance sex, race, ethnicity, disability, sexual orientation) on the basis of biometric data.
    • For court or tribunal proceedings.

In short: Use biometric information only for its original purpose unless an exception applies. Don’t use it to infer health, emotional, or personal traits, or to classify people by protected characteristics.

Storage/security

Rule 5 of the Code requires you to have appropriate safeguards in place to ensure that, any biometric information stored is protected against unauthorised use, access, modification or disclosure.

The Privacy Commissioner has made it clear that, safeguards appropriately reflect the sensitivity of biometric information and the overall risk during its handling. Given the inherent sensitivity of biometric information, multiple layers of safeguards should be introduced to provide the best protection.

Each organisation should ensure that it has robust internal procedures for the storage/security of biometric information. These may include:

    • Preparing a data retention policy, to ensure information is stored for only as long as is required to aid in reducing the risk of a privacy breach; and
    • Organisational controls, such as staff training to ensure employees are up to date with business storage/security procedures.

In short: Put strong safeguards in place to protect stored biometric information from unauthorised access, use, or disclosure. Use multiple layers of protection that match the sensitivity and risk of the data.

Key Takeaways

The Code has introduced additional compliance requirements that organisations looking to implement or maintain biometric processes may find difficult to navigate. It is also evident that the Office of the Privacy Commissioner will likely hold any organisation that utilises biometric processes to a high standard. As such, agencies should only use such biometric processes where there is a very real need to do so.

If you do determine there is a need to implement biometric processes within your organisation, we recommend that you take the following steps:

  • Undertake an initial proportionality assessment;
  • Assess systems and safeguards for compliance;
  • Notify and consult all affected individuals, including employees and contractors;
  • Develop and implement appropriate Biometric Processing Policies for your organisation and provide staff training on the same.

If you require specific advice or assistance in this space, or would like to find out more, contact Ryan McMaster.

 

This article was written with help from Lucy Korolainen, Jarrod McDermott and Briana McGuire.

Previous Post
Sharp Tudhope Welcomes Associate Chrissy Tarrant to the Property Team
keyboard_arrow_up