Biometric Processing Privacy Code 2025: Are you ready for the new compliance obligations?

To date there has been a gap in New Zealand’s privacy laws around the use of facial recognition, fingerprint scanning, voice authentication, and behavioural analysis technologies.

That gap has been overcome now. The Office of the Privacy Commissioner (OPC) has finalised the Biometric Processing Privacy Code 2025 (Code) for the handling of biometric information under the Privacy Act 2020. 

For entities that will be captured by the Code, there are two operative dates.  New biometric systems introduced on or after 3 November 2025 must be compliant from that date. Existing biometric systems in operation prior to that date must achieve compliance by 3 August 2026.

Scope of the Code
The Code applies to any automated processing of biometric information used to verify an individual’s identity or analyse physical or behavioural characteristics, where that information is unique and measurable. It does not apply to:

• Biometric information processed by health agencies; and
• Data generated by personal consumer devices used solely by individuals (e.g. smartphones, smartwatches).

Organisations that use biometric systems for purposes such as access control, workforce management, or customer identification may fall within the scope of the Code and need to consider what they need to do to be compliant.

Organisations must not collect or use biometric information unless it is necessary for the lawful purpose being pursued, effective in achieving that purpose, proportionate to the level of privacy intrusion, and unable to be replaced by a less privacy-invasive method.

A formal Proportionality Assessment must be undertaken before biometric processing is initiated. This assessment must weigh the benefits of processing against privacy risks and consider cultural factors, including potential impacts on Māori individuals and communities.

The Code also imposes enhanced notification requirements. Individuals must be provided with clear and specific information before their biometric information is collected, including the purpose of the processing, available alternatives to biometric collection, how long the data will be retained, and access and complaints mechanisms.

The Code strictly prohibits the use of biometric information to:

• Infer emotions or psychological states so that such information may only be used where an agency believes that the use is necessary to prevent or less a risk to public health or public safety, or a person’s life or health;
• Detect or analyse attributes such as race, health status, religious beliefs, or sexual orientation.

Organisations are required to implement appropriate security safeguards to protect biometric data from unauthorised access or disclosure. Internal policies and training should also be updated to reflect the new obligations.

To prepare for the upcoming changes you will need to identify existing or proposed uses of biometric data within the organisation. You will also need to undertake Proportionality Assessments for each biometric system, documenting the legal basis, necessity, alternatives considered, and cultural impacts; review and update privacy notices; implement appropriate safeguards; provide internal training for staff involved in the collection or management of biometric data; engage with Māori representatives, where appropriate.

For assistance with reviewing and updating your privacy documentation and processes, please contact Anthony Kuran on 09 306 0611 or @email or Andrew Knight on 09 985 2531 or @email