The Hidden Biometric Systems

Written By Caroline carver

The Biometric Code is already in force. But the real deadline for many organisations is still ahead. The Biometric Processing Privacy Code 2025 came into force on 3 November 2025 for any new biometric processing. However, organisations that were already using biometric systems before that date have until 3 August 2026 to comply. 

That means the next few months are when many organisations need to take a careful look at systems that are already running today. 

When people think about biometrics, they usually picture the obvious examples: 

  • facial recognition cameras 

  • fingerprint scanners 

  • iris readers 

  • biometric time and attendance systems. 

But biometric processing is not always this visible. Sometimes it appears in very ordinary workplace tools.  

Consider a typical meeting. The team joins a meeting room or connects remotely through Microsoft Teams. Someone enables transcription so that meeting notes are captured automatically. The transcript appears on screen, and each sentence is labelled with the name of the person speaking. That functionality is extremely useful. But it relies on the system being able to identify who is speaking. 

To do that, the platform performs speaker identification, analysing voice characteristics to distinguish one person from another. In some configurations, visual information from cameras may also be used to help correlate participants with identities. 

Voice characteristics and facial images are both examples of biometric information and the way it is used to through biometric verification and biometric identification. 

Under the Code, organisations using biometric systems need to be able to demonstrate things such as: 

  • the purpose of the biometric processing 

  • that the processing is necessary and proportionate 

  • that individuals are properly informed about what is happening 

  • that there are appropriate safeguards and retention controls. 

Between now and 3 August 2026, organisations should be identifying where biometric processing may already be occurring and assessing whether those systems meet the requirements of the Code using a Privacy Impact Assessment. 

Caroline carver
Next

The Harm Behind Harmless Gossip