Source: Privacy Commissioner
New Zealand now has new privacy rules for the automated use of biometrics – rules that aim to protect New Zealander’s sensitive personal data, while allowing agencies to innovate.
Biometric processing is the use of technologies, like facial recognition technology, to collect and process people’s biometric information to identify them or learn more about them.
The Privacy Commissioner has issued a Biometric Processing Privacy Code that will create specific privacy rules for agencies (businesses and organisations) using biometrics and give New Zealanders confidence about the use of their sensitive personal information.
Privacy Commissioner Michael Webster says “Biometrics are some of our most sensitive information. It is not just information about us, it is us. The very thing that makes biometrics risky, their uniqueness, also makes them useful. The aim of the new rules is to allow for beneficial uses of biometrics while minimising the risks for people’s privacy and society as a whole.”
The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate.
“It’s important that agencies can innovate while keeping New Zealanders safe from privacy risks; this Code will do that” says Commissioner Webster.
“The final Code has the force of law. It has the same legal status as the Information Privacy Principles in the Privacy Act – it just replaces them for when agencies use biometric information in automated processes.”
The Code comes into force on 3 November 2025, but agencies already using biometrics have until 3 August 2026, 12 months from today’s announcement, to align themselves with the new rules.
“We understand the Code may require some changes to agencies’ processes and policies for them to be compliant, like creating new notifications, training staff, or changing their technical systems, and we wanted to give them enough time to make these happen,” says Mr Webster.
In addition to the usual requirements from the Privacy Act, the Code strengthens and clarifies the requirements on agencies to:
- assess the effectiveness and proportionality of using biometrics – is it fit for the circumstances
- adopt safeguards to reduce privacy risk
- tell people a biometric system is in use, before or when their biometric information is collected.
The Code also limits some particularly intrusive uses of biometric technologies like using them to predict people’s emotions or infer information like ethnicity or sex, or other information protected under the Human Rights Act.
“Biometrics can have major benefits, including convenience, efficiency, and security.
However, it can also create significant privacy risks, including surveillance and profiling, lack of transparency and control, and accuracy, bias, and discrimination,” says Mr Webster.
Most comparable jurisdictions have additional protections for sensitive information like biometric information. In New Zealand, the Privacy Act regulates the use of personal information (and therefore biometric information), but the Code now provides clear privacy rules around using biometric technologies.
“Having biometric-specific guardrails will help agencies deploy these tools safely, using the right tool for the job and protecting people’s privacy rights as they do it,” says Mr Webster.
Guidance is also being issued to support the Code. The guidance is very detailed and explains how we see the Code working in practice. It also sets out examples so agencies planning to use biometrics can better understand their obligations.
“Our guidance is a starting point; agencies still need to do their own thinking and seek advice to understand their own situation and how they are using or plan to use biometrics.
“Biometrics should only be used if they are necessary, effective and proportionate; the key thing to make sure of is that the benefits outweigh the privacy risks,” says Mr Webster.
Read a summary of the Biometric Processing Privacy Code
Read the Biometric Processing Privacy Code
