Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The Office of the Privacy Commissioner of New Zealand 6 Aug. issued the Biometric Processing Privacy Code, which regulates how organizations in New Zealand use biometric technologies to collect and process biometric information.
This major step follows four years of consultation and development, initiated by the release of a biometrics position paper in October 2021, and influenced by the inquiry into the use of facial recognition technology by a major New Zealand retailer.
The code is law, issued by the privacy commissioner under Part 3 of the Privacy Act. It comes into force 3 Nov., but organizations already using biometric systems have a nine-month grace period — which ends 3 Aug. 2026 — to comply with the new rules.
The code applies broadly to all organizations, in both the public and private sector, that collect biometric information for biometric processing. Biometric processing involves using biometric information — such as facial features, fingerprints, voice patterns or other unique characteristics — to verify identity, or identify or categorize individuals. It applies only in relation to biometric processing using technology; manual processing is not covered.
As with other codes of practice issued by the privacy commissioner, the Biometric Processing Privacy Code adapts the existing 13 information privacy principles within the Privacy Act to apply specifically to biometric processing. The code covers the life cycle of biometric information from collection, through storage and use, to destruction.
It alters the information privacy principles in some very material ways, intended to address the specific risks of biometric processing, including introducing necessity and proportionality assessments. Organizations must have a specific, lawful purpose for collecting biometric information, and the processing must be necessary and effective, and proportionate to the likely impacts on individuals.
The code seeks to target activities with the most significant privacy impacts. For example, it does not apply to consumer devices — such as fitness trackers, smartwatches or technology used solely to provide entertainment or an immersive experience. It also excludes biometric processing of health information by health agencies, which are already subject to the Health Information Privacy Code.
Biometric information is deeply personal and uniquely linked to an individual. Unlike a password, it cannot easily be changed if compromised. As we have witnessed through inquiries into the use of facial recognition technologies in both New Zealand and Australia, there is growing public concern about the use of biometric systems and their potential to infringe on privacy, introduce bias, or to be used in non-transparent ways. The code recognizes these heightened risks and provides a clear regulatory framework to ensure organizations use biometrics responsibly, transparently and with strong safeguards.
Daimhin Warner, CIPP/E, is the country leader, New Zealand, for the IAPP.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.