What is the Code?

The Code, issued under the Privacy Act 2020 (Privacy Act) by the Privacy Commissioner, sets out specific privacy rules for all organisations (including businesses, government agencies and NGOs) that collect biometric information for processing by an automated biometric system.

Biometric systems involve using certain technologies to identify individuals or gain insights about them based on their physical or behavioural characteristics, such as facial features, fingerprints, voice, typing patterns and how they walk.

The Code introduces 13 rules that modify or replace the corresponding 13 Information Privacy Principles from the Privacy Act for biometric processing activities. Biometric processing involves the comparison or analysis of biometric information by a technological system by means of biometric identification, verification or categorisation. These new rules include requirements that:

• Effectiveness and Proportionality: agencies must only collect biometric information for lawful purposes connected to their functions, and must ensure that such processing is necessary and proportionate to the privacy risks involved - referred to as the ‘necessity test’.
• Safeguards: agencies must adopt robust safeguards to reduce privacy risks.
• Transparency: agencies must ensure that they inform people about the collection of their biometric information before, or at the time, their biometric information is collected. Other matters to be notified include why a biometric system is in use and recipients’ rights regarding access to and correction of their data.
• Safe limits: any highly intrusive uses of biometrics, such as emotion prediction, attention tracking or inferring sensitive information (e.g. ethnicity or sex), are only to be used in certain situations. For example, where use is necessary for aiding people with disabilities, keeping people safe, or for research purposes. 

What doesn’t the Code apply to?

The Code generally applies to all organisations (including businesses, government agencies and NGOs) that collect biometric information for biometric processing, but there are some notable exceptions.

The Code does not apply where biometric information is health information under the Health Information Privacy Code (HIPC) and is being processed by a health agency. In that case, the HIPC will apply instead.

Certain intelligence and security agencies are exempt from some of the Code’s rules, reflecting their unique functions.

The Code also generally does not apply to consumer devices used for personal purposes, such as fitness trackers or VR headsets, or to individuals acting in a purely personal capacity.

Importantly, where the Code does not apply, the Privacy Act may still govern the collection, use and disclosure of biometric and other personal information.

What has changed since the public consultation?

The Code’s release follows an extensive development and public consultation process. For more background, you can read our previous articles here: Biometrics Privacy Code: Balancing Security and Privacy?, Biometric Boundaries: A Code of Practice to Regulate Biometrics in New Zealand and Biometrics Privacy Code - facing up to an uncertain future.

While the Code’s rules are substantially the same as in the last consultation draft, several refinements have been made, including: 

• delaying the commencement date to 3 November 2025, and introducing a grace period (until 3 August 2026) for agencies already undertaking biometric processing to comply with the new rules;
• clarifying that the necessity test requires agencies to consider whether a lower privacy risk alternative achieves their required purpose.
• agencies conducting a trial to assess the effectiveness of their biometric system in achieving its purpose may now defer compliance with both limbs of the necessity test under rule 1(b); and
• tightening the rules on biometric attention tracking so organisations may now only use biometric systems to monitor attention, alertness, or fatigue where it is for safety purposes (i.e. to lessen or prevent a risk to someone’s life or health).

The Guidance which was released with the consultation draft has also been updated and released alongside the final Code. The Guidance is very detailed and sets out examples to assist agencies to better understand how to comply with the Code’s obligations. The OPC will also use the Guidance as a benchmark for any investigations into complaints or compliance issues under the Code.

The level of detail in the Guidance suggests that the OPC may be anticipating implementation challenges and is taking a proactive approach to assist agencies in navigating the new obligations.

Our thoughts

The Code signals a new phase in New Zealand’s privacy framework, one that recognises the growing presence and power of biometric technologies in everyday life. By moving forward with the Code, the Privacy Commissioner is acknowledging both the potential and the risk of these tools. The Code also brings New Zealand’s privacy framework more in line with other comparable jurisdictions which regulate the collection, use and disclosure of sensitive information (such as biometrics).

The Code’s focus on proportionality and necessity invites deeper conversations around ethics and purpose; not just whether an agency can use biometric processing technology, but whether it should. The Privacy Commissioner’s comments around Food Stuffs North Island’s facial recognition trial (read our comments about the trial here) reinforces this, highlighting the need for businesses to assess whether the benefits truly justify the privacy risks.

As the compliance deadline approaches, the Guidance will serve as a practical starting point for agencies looking to adopt biometric technologies, and an important reference for those already using them to ensure that their practices comply with the Code.

Get in touch

Please get in touch with our contacts if you would like to know more about how the Code may impact your business.

Special thanks to James Burnett for his assistance in writing this article.