The Biometric Code is Out!! – Is Your Organisation Ready?

Written By Caroline carver

The Biometric Processing Privacy Code has now been issued. It will come into force in two tranches:

  • 3 November 2025 – for biometric processing that starts after 3 November 2025

  • 3 August 2026 – for biometric processing already in use on or before 3 November 2025

So, what is biometric information? Some of the most common types of biometric information collected by organisations include:

  • Face images

  • Eye or iris scans

  • Fingerprint and/or palm print scans

  • Gait analysis

  • Keystroke logs

  • Patterns of device use / touch screen interaction (e.g. the distinctive position, pressure, and speed of someone’s fingers when they swipe, scroll, or tap on a smartphone)

  • Voice audio

There are many different types of biometric systems that are covered by the Code. However, it’s important to note that systems relying solely or primarily on human analysis — for example, a purely manual comparison of someone’s face to an ID document — are not covered by the Code.

With a few exceptions, the Code applies to the following biometric processing activities:

  • Biometric verification – the automated verification of an individual’s claimed identity. Examples include confirming your identity against a passport or driver licence, such as part of AML requirements.

  • Biometric identification – the one-to-one matching of a person against an enrolled population. Examples include fingerprint scanning for time management systems and facial recognition used to prevent shoplifting.

  • Biometric categorisation – where biometric information is used to infer characteristics about an individual. Examples include age verification, fraud detection systems like BioCatch, and driver fatigue detection systems.

The Code focuses on the following key principles:

  • Purpose – Organisations must know why they are collecting biometric information and only collect what is necessary and effective for that purpose.

  • Safeguards – Privacy safeguards must be implemented before collecting biometric information.

  • Proportionality – Biometric information must only be collected if there are reasonable grounds to believe the processing is proportionate to the potential impacts on people.

  • Openness – Organisations generally need to be transparent with individuals, so people can make informed choices.

  • Use limits – The Code sets clear limits on what biometric information can be used for.

There are lots of helpful resources available on the OPC website:
 https://www.privacy.org.nz/resources-and-learning/a-z-topics/biometrics/

The best way to ensure your biometric system complies with the new Code is to complete a Privacy Impact Assessment (PIA).

We’ve recently worked with a number of organisations on preparing PIAs for biometric systems, and we’re happy to share our experience — and assist with yours.

Caroline carver
Next

"But I Outsourced That!" – Why You’re Still on The Hook Under The Privacy Act