The Privacy Commissioner has issued a Biometric Processing Privacy Code that will create specific privacy rules for businesses and organisations using biometrics and give New Zealanders confidence about the use of their sensitive personal information.
Biometric processing is the use of technologies, like facial recognition technology, to collect and process people’s biometric information to identify them or learn more about them.
Privacy Commissioner Michael Webster says in a statement that biometrics are some of our most sensitive information.
“It is not just information about us, it is us. The very thing that makes biometrics risky, their uniqueness, also makes them useful. The aim of the new rules is to allow for beneficial uses of biometrics while minimising the risks for people’s privacy and society as a whole.”
The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate.
“It’s important that agencies can innovate while keeping New Zealanders safe from privacy risks; this Code will do that,” says Webster.
He says the final Code has the force of law. “It has the same legal status as the Information Privacy Principles in the Privacy Act – it just replaces them for when agencies use biometric information in automated processes.”
The Code comes into force on 3 November 2025, but agencies already using biometrics have until 3 August 2026, 12 months from the announcement, to align themselves with the new rules.
Webster says his office understands the Code “may require some changes to agencies’ processes and policies for them to be compliant, like creating new notifications, training staff, or changing their technical systems, and we wanted to give them enough time to make these happen”.
In addition to the usual requirements from the Privacy Act, the Code strengthens and clarifies the requirements on organisations to:
- Assess the effectiveness and proportionality of using biometrics – is it fit for the circumstances.
- Adopt safeguards to reduce privacy risk.
- Tell people a biometric system is in use, before or when their biometric information is collected.
Michael Webster
“The Code also limits some particularly intrusive uses of biometric technologies like using them to predict people’s emotions or infer information like ethnicity or sex…”
The Code also limits some particularly intrusive uses of biometric technologies like using them to predict people’s emotions or infer information like ethnicity or sex, or other information protected under the Human Rights Act.
“Biometrics can have major benefits, including convenience, efficiency, and security. However, it can also create significant privacy risks, including surveillance and profiling, lack of transparency and control, and accuracy, bias, and discrimination,” says Webster.
His office notes that most comparable jurisdictions have additional protections for sensitive information like biometric information. In New Zealand, the Privacy Act regulates the use of personal information (and therefore biometric information), but the Code now provides clear privacy rules around using biometric technologies.
“Having biometric-specific guardrails will help agencies deploy these tools safely, using the right tool for the job and protecting people’s privacy rights as they do it,” he says.
“Guidance is also being issued to support the Code. The guidance is very detailed and explains how we see the Code working in practice. It also sets out examples so agencies planning to use biometrics can better understand their obligations.
“Our guidance is a starting point; agencies still need to do their own thinking and seek advice to understand their own situation and how they are using or plan to use biometrics.”
Webster says biometrics should only be used if “they are necessary, effective and proportionate; the key thing to make sure of is that the benefits outweigh the privacy risks.”
Read the Biometrics Privacy Code
Click here to see the Privacy Commissioner’s latest column in Management.
