On 6 August 2025, the Privacy Commissioner issued its finalised Biometric Processing Privacy Code (the Code), which will regulate the collection and use of biometric information by organisations processed through the use of biometric technologies. The Code is now law made pursuant to the Privacy Commissioner’s powers under the Privacy Act 2020, and creates new rules for biometric processing which are intended to give confidence to New Zealanders about the collection and use of their biometric information. 

The Code will apply to any new collection and use of biometric information from 3 November 2025, but organisations already processing biometric information will have until 3 August 2026 to comply. 

The Office of the Privacy Commissioner has released extensive guidance on the application and practical interpretation and operationalisation of the Code, which can be accessed here. Summarised below are some of the key things organisations should understand about the Code. 

What does the Code apply to? 

The Code only applies to biometric information as a class of information and to the activity of biometric processing by a biometric system.

Biometric information refers to an individual’s physical or behavioural features like their face, fingerprints, or voice, and is classified as sensitive personal information. 

Biometric processing is the analysis or comparison of biometric information to:

• Categorise an individual by analysing their biometric information to gather information about them and place them into categories. This includes gathering information about a person’s health, emotional state or demographic categories and is subject to express limitations in Rule 10 (explained below). 
• Identify an individual by comparing their biometric information against the information of others in the system. This is typically used for security purposes including identifying individuals able to enter a particular space. 
• Verify whether an individual is who they claim to be. This involves comparing a person’s biometric information with other biometric information already held about that person. 

A biometric system means a computer or technological-based system that is used for biometric processing. It includes any related devices and components needed to carry out the processing, such as cameras, scanners, comparison algorithm and tokens. It does not include a system that relies solely or primarily on human analysis i.e. a purely manual system.

Any organisations currently processing biometric information or proposing to process biometric information will first need to assess and determine whether the processing falls within the scope of the Code. 

Rules for compliance 

The Code contains 13 Rules organisations must comply with in relation to the processing of biometric information, which replace the information privacy principles contained in the Privacy Act 2020. While organisations will need to comply with all of the rules, many of these align with the information privacy principles. The more substantive departures from the information privacy principles, where the rules impose more stringent compliance obligations on organisations, are found in Rules 1, 3, and 10.

Rule 1: Purpose 

Rule 1 governs the purpose for collecting biometric information. It is the first hurdle that organisations using biometric processing systems must overcome in order for their collection and processing of biometric information to be lawful and permissible under the Code. 

Organisations must ensure that the following four criteria are met before they can process biometric information: 

• Lawful purpose: Organisations must have a clear, lawful, and specific purpose for collecting biometric information. Vague justifications like “for business use” or “for security” will be insufficient. The purpose must be directly connected to the organisation’s functions and relevant at the time of collection. Importantly, biometric data cannot be collected speculatively or “just in case” it might be useful later.
• Necessary: The collection must be necessary, meaning it is an effective way of achieving the organisation’s purpose and cannot reasonably achieve the lawful purpose as effectively by an alternative with less privacy risk. Effectiveness must be supported by objective evidence, such as performance metrics, trials, expert opinions, or case studies. Organisations are also required to reassess effectiveness periodically, especially if the system changes.
• Safeguards: Organisations must implement appropriate safeguards to mitigate privacy risks. These include:
  • Immediate deletion of non-match data.
  • Secure storage and access controls.
  • Staff training and oversight.
  • Transparent governance processes.
• Proportionality: The benefits of biometric processing must be examined against and must clearly outweigh the privacy risks. This includes reviewing the technology’s intrusiveness, the potential for discrimination, any cultural impacts, and the risk of scope creep. 

Navigating Rule 1 will likely be the most significant hurdle in evaluating your organisation’s readiness for biometric processing. It sets the foundation for lawful collection and use, and overcoming its requirements is essential before any further compliance steps can be meaningfully addressed. The Office of the Privacy Commissioner has signalled that a high level of scrutiny will be placed on an organisation’s purpose, requiring careful consideration of whether biometric processing is right for your organisation. 

Rule 3: Notification

Rule 3 builds on the transparency obligations in Information Privacy Principle (IPP) 3 of the Privacy Act 2020, but introduces additional and more specific requirements tailored to the collection and processing of biometric information. 

Organisations must take reasonable steps to inform individuals about the collection of their biometric information. In addition to the standard information disclosure requirements under IPP3, organisations processing biometric information will need to clearly and conspicuously notify people:

• What biometric information is being collected.
• The specific purposes for which it is being collected and used.
• How long the biometric information will be retained.
• Whether any alternative option to biometric processing is available.
• How they can make a complaint about the processing of their biometric information, including their right to make a complaint to the Privacy Commissioner.
• Whether the organisation’s proportionality assessment under Rule 1 is either publicly available or available on request, and where and how the person can view it.
• Whether the collection and processing of biometric information is being under a trial and how long it will go for.

The information provided must be easy to understand and accessible through signage, verbal notices, or digital prompts. If full notification is not practicable at the time of collection, organisations must provide the remaining information as soon as practicable afterward. Organisations should also consider whether repeated notification is necessary, especially if biometric information is collected frequently or in less obvious ways. 

Rule 10: Use and limits

Rule 10 sets out strict limitations on how biometric information may be used once collected. Organisations may only use biometric information for the specific purpose it was collected for. Any secondary use must meet one of the limited exceptions, such as:

• The new purpose is directly related to the original one.
• The data is anonymised and used for research or statistics.
• The individual has expressly authorised the new use.
• The use is necessary for law enforcement, public safety, or legal proceedings.

There are also additional prohibitions on using biometric information for categorisation. Categorising for health status, emotions or personality, attention level or protected characteristics under the Human Rights Act are not permitted unless a specific exception applies, such as: 

• Express consent from the individual.
• Use by a health agency providing health services.
• Necessity to prevent or lessen a serious threat to life, health, or public safety.
• Accessibility support or ethically approved research>

Next steps

We expect compliance with the Code will be a complex exercise for many organisations, demanding robust privacy impact assessments and detailed proportionality assessments (which may require external expertise and support). While the Office of the Privacy Commissioner has issued comprehensive guidance on its expectations, organisations will still need to invest significant effort behind the scenes to meet these new obligations. Recognising this, we will be working closely with our clients to help ease the burden by developing practical templates and tailored guidance to support them through each stage of the assessment process.

Organisations that are currently undertaking biometric processing should start to plan ahead now. This will first involve an assessment of whether the Code applies, and if so, the commencement of a detailed privacy impact assessment to document compliance with Rule 1. For organisations exploring the future use of biometric processing systems, initiating a trial can be a valuable first step. It provides a practical means to assess and document the system’s effectiveness, helping to inform proportionality assessments and support compliance from the outset.

If you would like more assistance with understanding the Code, or are planning to introduce biometric processing into your organisation, please get in touch with one of our privacy experts below.