The Privacy Commissioner has issued the long-anticipated Biometric Processing Privacy Code 2025 (the Code), ushering in a new era of regulation for organisations using biometric technologies in New Zealand.
With compliance deadlines fast approaching (3 November 2025 for new biometric processing and 3 August 2026 for existing systems) there is a relatively short runway for organisations to prepare, and we recommend taking early steps to understand the detail of the Code and the related regulatory guidance.
What is “Biometric Processing”?
The Code casts a relatively wide net. “Biometric processing” is defined as the comparison or analysis of biometric information by a technological system. This includes:
- Biometric identification - in summary, recognising an individual by comparing their biometric characteristics (e.g., face, fingerprint, voice) with information held in a system.
- Biometric verification - i.e., one-to-one matching to confirm a claimed identity.
- Biometric categorisation - analysing biometric information to infer or detect certain characteristics including personality, mood and emotion.
“Biometric information” itself means personal information relating to a biometric characteristic. That includes fingerprints, facial images, iris scans, voice patterns, gait, or even keystroke patterns (i.e., the way a person types on a keyboard).
Notably, the Code does not cover genetic or neurological data, or health information held by health agencies (separately regulated under the Health Information Privacy Code).
What obligations apply?
Any organisation using, or planning to use, biometric information should ensure they are familiar with the obligations under the Code. The Code is detailed and relatively wide-ranging. We summarise two key new obligations below.
Proportionality Assessments
One new requirement that may be challenging for organisations (or “agencies” to use the language of the Privacy Act) is an obligation to carry out proportionality assessments before collecting biometric information.
Under Rule 1 of the Code, an agency may only collect biometric information if the processing is for a lawful purpose related to its functions or activities, and if the processing is necessary for that purpose, including that it must be effective in achieving the agency’s purpose and there must be no reasonably available alternative with less privacy risk. The agency must also implement appropriate privacy safeguards and be satisfied, on reasonable grounds, that the processing is proportionate to the likely impact on individuals.
In assessing proportionality, the agency must consider the scope and degree of privacy risk, whether the benefits of the processing outweigh those risks, and the “the cultural impacts and effects of biometric processing on Māori.” This may require additional procedures for many agencies (particularly those based offshore who carry on business in New Zealand) to ensure they have properly considered the cultural impacts and effects of biometric processing on Māori, including data sovereignty issues and the application of tikanga Māori.
Enhanced notice requirements
The notice provisions for collecting biometric information under the Code expand the ordinary requirements under the Privacy Act (under Information Privacy Principle 3 (IPP 3)). In particular, agencies collecting biometric information must take reasonable steps to ensure the individual is made aware, not only of the fact of collection and the specific purposes (with “due particularity”), but also whether any alternative to biometric processing is available.
The agency must also inform individuals of the processes available for raising concerns or complaints about biometric processing, including the right to complain to the Privacy Commissioner. Additionally, the agency must inform the individual where its proportionality assessment (see above) regarding the biometric processing can be accessed, if it is publicly available, or whether it can be provided on request.
These requirements represent a significant increase to the usual transparency obligations under IPP 3 that agencies will already be familiar with under the Privacy Act.
Next steps and how to prepare
The Code will take effect from 3 November 2025 for any biometric processing activities that commence after that date, while organisations with existing biometric processing systems in place on or before 3 November 2025 have until 3 August 2026 to achieve compliance.
To ensure compliance and readiness ahead of the Code’s commencement, organisations should consider taking the following steps:
- Map all biometric processing activities: Identify and document all systems, processes, and business units that collect, use, or store biometric information (e.g., facial recognition, fingerprint access, voice authentication). Ensure you have a comprehensive understanding of where and how biometric data is processed across your organisation.
- Proportionality assessments: Assess whether your use of biometrics is necessary, effective, and proportionate to the likely impacts on individuals. If you cannot demonstrate all three, you cannot proceed with biometric processing. The assessment must consider privacy risks, benefits, and the cultural impacts and effects on Māori. Bell Gully has leading specialists in both Māori legal issues and privacy who can assist with building processes to ensure these assessments are appropriately structured.
- Review and Update Privacy Impact Assessments (PIAs): Update existing PIAs or create new ones to specifically address the necessity and effectiveness of biometric processing and consider the privacy safeguards in place.
- Notice: Develop clear, accessible notices for individuals explaining the fact that biometric information is being collected, and specific purposes for collection, and the other matters specified in the Code.
- Training staff: Ensure staff involved in biometric processing understand the new requirements and their responsibilities. Establish mechanisms for regular review of biometric processing activities, proportionality assessments, and stakeholder engagement.
By taking these steps now, organisations can help to ensure they are well prepared for the new regulatory environment and avoid disruption or compliance risks when the Code comes into force.
Given the limited time ahead of commencement of the new regime, it is worth getting underway at an early stage.
For assistance with Privacy Impact Assessments, reviewing your systems, or updating your privacy documentation, please contact the listed contacts or usual Bell Gully adviser.
Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.