The Privacy Commissioner announced yesterday his intent to proceed with a biometrics code to regulate the collection and use of biometric information. A revised Biometric Processing Privacy Code (Code) has been released for public consultation, along with draft Biometric Processing Privacy Code guidance (Guidance) and a Biometric Processing Privacy Code consultation paper (Consultation Paper). The Code, Guidance and Consultation Paper are available here. Submissions on the Code, Guidance and Consultation Paper close 14 March 2025.
Background
In April 2024, the Office of the Privacy Commissioner (OPC) released an initial exposure draft of the Code for consultation (available here). The draft Code proposed specific privacy rules applicable to both public and private sector entities, who collect and process biometric information in an automated away using biometric systems.
A report (available here) was released in August 2024 summarising the submissions received (Report). The Report indicated that submissions were broadly supportive, but called for some changes, including overall simplification and clear guidelines with worked examples to assist with understanding and applying the Code.
What is captured by the Code?
The Code applies to the processing of biometric information in an automated way using biometric systems. It does not apply to manual processing.
The Code broadly defines "biometric information" as personal information relating to a biometric characteristic, including such information about people's physical and behavioural characteristics (e.g. a person's face, fingerprints, voice or gait). The Code expressly excludes information about an individual's biological and genetic material, brain activity and nervous system from the scope of the definition.
"Biometric systems" are referred to in the Code as machine-based systems (including software) which are used for biometric identification, verification and categorisation (but does not include a system that relies solely or primarily on human analysis.
The Code
The revised Code sets out 13 rules that organisations collecting and processing biometric information in an automated way using a biometric system must follow. These broadly align to the existing general Information Privacy Principles under the Privacy Act 2020, but also introduce some new concepts:
- Purpose of collection: Organisations may only collect biometric information for a lawful purpose in connection with a function of that agency. The collection must be necessary, safeguarded and proportionate in the circumstances.
- Source of biometric information: Organisations may only collect biometric information directly from the relevant individual to which it relates.
- Notifying individuals: When collecting biometric information, organisations must comply with prescribed notification requirements to ensure the individual is aware of the collection.
- Manner of collection: The Code sets out requirements regarding the manner in which organisations may collect biometric information. Collection must be undertaken by means that are lawful, fair and not unreasonably intrusive.
- Storage and security: The Code imposes rules about the storage and security of biometric information.
- Access: Individuals have the right to make a request to an agency as to whether (and what type of) biometric information is held about them and have access to that information.
- Correction: Individuals have the right to require an agency to correct biometric information held about them.
- Maintaining accuracy: Organisations holding biometric information must check that it is accurate, up to date, complete, relevant and not misleading before using or disclosing that information.
- Time to retain data: Organisations must not keep biometric information for longer than is required for the purpose for which it was collected.
- Limits on use of biometric information: Organisations are restricted in how they may use biometric information (for example, if biometric information is collected for one purpose, it may not be used for any other purpose). The Code also prohibits the processing of biometric information for the purposes of producing or inferring health information, information relating to mood, emotion, intention or mental state, or information relating to a prohibited ground of discrimination under the Human Rights Act.
- Limits on disclosure: Likewise, rule 11 sets out the limits on disclosure of biometric information.
- Limits on disclosure outside NZ: Rule 12 places limits on the disclosure of biometric information outside New Zealand.
- Use of unique identifiers: Rule 13 allows for unique identifiers that are biometric features or templates to be assigned to individuals for use in agency operations.
The revised Code and Guidance also address the following issues outlined in the Report:
- Application of Code: Where organisations are already carrying out biometric processing, the timeframe to comply with the Code has been extended from six months to nine months. The Guidance also clarifies that the manual collection of biometric data is not covered by the Code (in contrast to automated collection).
- Scope and Definitions: Terminology has been made less technical and complex, and various definitions have been amended or removed to align with more widely understood industry terms.
- Proportionality assessment: Although the threshold for Rule one has not changed, the Code now clarifies the intended meaning of the term 'necessary' (including allowing for biometric processing to be trialled to determine if it meets the criteria) and simplifies the proportionality assessment test.
- Notification requirements and transparency: A new requirement has been added for organisations to include in their notice a location or method for individuals to get more information about the biometric processing (as opposed to requiring organisations to list out relevant policies, protocols and procedures in their notifications, as was required under the initial draft of the Code).
- Fair processing limits: Rule 10 now collates all fair use limits (removing specific processing exclusions from rule four) and the restriction on web-scraping has also been removed. The OPC notes in the Consultation Paper that it has restricted any fair use limits to what it considers to be the highest risk and most intrusive uses. All other forms of biometric processing will rely on the proportionality assessment test.
- Alignment of HIPC and the Code: The Report noted feedback received requesting clarity on the health agency exclusion, particularly for organisations who only have some health functions (for example, insurers who are currently exempt as they are classed as a "health agency"). The revised Code has not materially changed in this respect, but the Guidance provides examples of how the Health Information Privacy Code 2020 (HIPC) and the Code work together, explaining that the Code will not apply only if the biometric information is processed by a 'health agency' in circumstances where the biometric information also constitutes 'heath information' (each as defined in HIPC).
- Protections for Māori: The Report noted a desire to strengthen protections for Māori biometric information, specifically by including a Te Tiriti o Waitangi clause and providing by Māori data governance by establishing a Māori advisory group. Whilst this has not yet been addressed in the Code, the OPC has stated on its website that the newly established OPC Māori Reference Panel will be providing input during this consultation.
Next steps
As noted above, the consultation period ends on 14 March 2025. Feedback should be emailed to [email protected].
If you would like any assistance preparing a submission or would like to discuss how the use of biometrics in your organisation may be impacted, please do not hesitate to get in touch with one of our experts listed below. We will continue to monitor activities relating to the Code and other related developments in New Zealand.