Privacy Commissioner releases draft biometrics privacy code

Biometrics is a trending issue and with the development of technology there are consistently more ways biometric data can be used, from replacing a password to identifying repeat shoplifters in a shop. With these developments, issues have started to be identified from a privacy perspective.

In our update late last year, we discussed the Privacy Commissioner’s (Commissioner) intention to release an exposure draft for a privacy code that will govern the collection and use of biometric information in biometric processing in New Zealand.  The exposure draft of the Biometric Processing Privacy Code (Code) and an associated consultation document have now been released.

Biometric information – what is it?

Biometric information relates to a person’s physical and behavioural characteristics.  For example, a person’s facial features, voice, fingerprints, signatures, keystroke patterns, and more.  Biometric information is personal information and is already regulated by the Privacy Act 2020 (Act).  However, the Commissioner considers biometric information to be a special type of personal information that requires specific protection in certain circumstances.

What are the concerns?

The use of biometric information can have great benefits, including convenience and security.  But there are risks too.  The Commissioner has identified risks such as lack of transparency and control, accuracy, bias, and risks relating to surveillance and profiling.  The Code is intended to give some guidance as to how this type of information can be processed and used.  

The Commissioner is seeking feedback on the Code and is asking three main questions:

  • How should organisations have to balance the benefits and disadvantages of biometrics before using them?
  • How and what should people be told when their biometrics are being collected?
  • What are some things that biometrics should not be used for?

So, what exactly does the Code cover?

The new Code is intended to apply to the activity of biometric processing and biometric information (as a class of information for the purpose of that activity).  The Code applies to the use of biometric information to recognise or classify people by way of biometric processing. 

The Code sets out thirteen rules that must be complied with when undertaking biometric processing and collecting, using and disclosing biometric information.  Overall, there are general similarities with the thirteen Information Privacy Principles (IPP) in the Act.  However, some key changes have been suggested.  These include:

Rule 1 of the Code

Rule 1 of the Code places responsibility on organisations to demonstrate that their biometric processing is proportionate.  In the Code, in addition to only collecting biometric information for a lawful purpose, organisations must not collect biometric information for biometric processing unless (1) they believe on reasonable grounds that their biometric processing is proportionate in the circumstances and (2) they have put in place any privacy safeguards that are reasonable in the circumstances. 

Rule 3 of the Code

The proposed Rule 3 would, amongst other things, require organisations to have a clear and obvious notice advising individuals that biometric information is being collected, the specific purposes the biometric information is being collected for and whether there is an alternative option to biometric processing available.  Agencies will also need to have an easily accessible notice that advises individuals of additional information such as the agency’s retention policies, complaints processes, policies, procedures and protocols for the collection and disclosure of biometric information. 

Rule 4 of the Code

The Commissioner wishes to restrict certain unfair and intrusive uses of biometric processing.  Accordingly, Rule 4 of the Code prohibits an agency from collecting information about an individual’s health by way of biometric classification (a type of biometric processing), using biometrics to obtain information about a person’s emotional or physical state or to place individuals into restricted biometric categories e.g., age, race, sex, ethnicity, etc.   

The default position under the Code is that these types of biometric activity are prohibited unless an exception applies.  The intent is that these types of biometric processing will only be used where there are clear benefits.

Find out more

You can find copies of the draft privacy code and consultation document here and any feedback must be emailed to biometrics@privacy.org.nz by 8 May 2024.

If you have any questions or concerns about the changes to come, or about your current privacy practices, feel free to get in touch with our team, to see how we can help.


Disclaimer:  The information contained in this article is current at the date of publishing and is of a general nature.  It should be used as a guide only and not as a substitute for obtaining legal advice.  Specific legal advice should be sought where required.



Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Media contact - Kerry Browne
Please contact Kerry with any media enquiries and with any questions related to marketing or sponsorships on +64 9 375 8747 or via email.

Related Articles / Insights & Opinion

Complexities of contract termination – High Court calls halt on the Contractor’s process in Rau Paenga v CPB
The High Court in Rau Paenga Ltd v CPB Contractors Pty Ltd [2023] NZHC 2947 granted an interim injunction preventing the Contractor from suspending and terminating its contract for the construction of...
30.05.2024 Posted in Construction & Disputes
iStock  Employment Concept
Court of Appeal overturns Employment Court decision stripping family carers of their employment status
Two parents of disabled adult children have lost their status as employees of the Ministry of Health (MOH). The Employment Court had previously found that they were “homeworkers” and therefore emp...
29.05.2024 Posted in Employment
vadim kaipov  kIqhmxc unsplash med
Is working from home still working?
There are conflicting views on whether working from home is effective. Research conducted by Massey University at the end of 2023 found that around 40% of workers were doing hybrid work. This was an i...
23.05.2024 Posted in Employment
The Legal500 Construction Comparative Guide
The Construction team at Hesketh Henry is the exclusive New Zealand contributor to The Legal 500: Country Comparative Guide for Construction.  Partners Glen Holm-Hansen and Helen Macfarlane along wit...
21.05.2024 Posted in Construction
Government trumps Member’s Bill with the Contracts of Insurance Bill 2024
It now seems there is at least the possibility 2024 will be the year New Zealand finally sees the reform of insurance law with the Government’s own bill, the Contracts of Insurance Bill, now before ...
16.05.2024 Posted in Insurance
Building Permit
Build-to-Rent (BTR) Basics
If the term Build-to-Rent is new to you, you are probably not alone.  Unlike countries such as the USA, UK and Australia where BTR is well established, the BTR sector is still emerging in New Zealand...
26.04.2024 Posted in Property
Insurance Contract Law – Parliament finally gets to consider long-awaited reforms
The Government’s Contracts of Insurance Bill was introduced on 30 April 2024.  See our article on this Bill. In February 2022, the Ministry of Business, Innovation and Employment (MBIE) released an...
24.04.2024 Posted in Insurance
Send us an enquiry

For expert legal advice, please complete the form below or call us on (09) 375 8700.