Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Biometrics and Privacy

The Privacy Commissioner announced on 23 November 2023 that he will be progressing draft privacy rules for biometric information. Read the announcement or the short explainer document.

 In early 2024 our Office will be publicly consulting on an exposure draft of a biometrics privacy code.

 A code would change how some of the principles in the Privacy Act apply when organisations use technology to analyse biometric information. A code provides regulatory certainty to agencies using or seeking to use biometrics and it would allow for beneficial uses while safeguarding against privacy risk or harm.

This year we ran a targeted engagement which helped us test a wide range of ideas for a biometrics privacy code. We heard from Māori stakeholders, advocates for privacy, human rights, and consumer rights, as well as users and providers of biometric technology. View our discussion document and our summary of the submissions we received.

What people said helped us decide that our exposure draft will contain three key proposals. These proposals target the key privacy risks we see associated with biometric information; unnecessary or high-risk collection and use, scope creep, and a lack of control or knowledge about when and how biometrics are collected and used. 

  1. A proportionality assessment would require agencies to carefully consider whether their reasons for using biometrics outweigh the privacy intrusion or risks.
  2. Transparency and notification requirements would place greater obligations on agencies to be open and transparent with individuals and the public about their collection and use of biometric information.
  3. Purpose limitations would put some restrictions on collecting and using biometric information for certain reasons.

 
If you’d like to be notified when the exposure draft public consultation opens email us at biometrics@privacy.org.nz 

What is biometric information?

Biometric information relates to people’s physical or behavioural features. For example, a person’s face, fingerprints, voice, keystroke patterns, or how they walk. 

Biometric technologies (such as facial recognition or voice analysis) analyse biometric information to recognise who someone is, or to work out other things about them (such as their gender or mood).

Biometric information is personal information and is regulated by the Privacy Act. It is particularly sensitive because it’s unique to an individual and intimately connected to who you are. It requires careful assessment before use and there is growing concern about the level of regulation covering it.

These are some examples of how biometrics can be used:

  • verifying people’s identities online
  • border control
  • policing and law enforcement
  • retail security
  • controlling access to devices or physical spaces
  • monitoring attendance (for example, in workplaces or schools).


Biometric technologies can have major benefits, including convenience, efficiency, and security. However, they can also create significant risks, including risks relating to surveillance and profiling, lack of transparency and control, and accuracy, bias, and discrimination.

The increasing role of biometric technologies in the lives of New Zealanders has led to calls for greater regulation of biometrics. Other countries are also considering how best to regulate these technologies, and some have enacted specific regulatory frameworks for biometrics or include biometrics in their ‘sensitive’ information categories which give biometric information greater protection (in contrast, New Zealand’s Privacy Act doesn’t have special rules for ‘sensitive’ information).

Biometrics papers and past consultation

July/August 2023: targeted engagement  
We released a discussion document outlining proposals for a potential code of practice for biometrics information. We sought views from:

  • private sector users or providers of biometric technology
  • public sector users of biometrics,
  • advocates for privacy
  • advocates for human rights, employment, and consumer rights
  • Māori.

We also held several workshops and meetings with stakeholders in August 2023, including a wānanga with Māori, to talk through the proposals in the discussion document.

A total of 54 submissions were received (49 from organisations or individuals with an identified area of expertise and five from private individuals). Read our summary of submissions we received on the different proposals in our discussion document.

Read the summary document (PDF)

Read the full discussion document (PDF)

Read the summary document (Word)

Read the full discussion document (Word)

December 2022 announcement

The Privacy Commissioner announces he will explore the option of a code to regulate biometrics. Read the announcement.

August 2022 Consultation

From mid August, we revisited our position paper, conducting a period of broad public engagement with a consultation paper, Privacy Regulation of Biometrics in Aotearoa, New Zealand.

We also directly consulted with key stakeholders, including Māori experts and organisations using biometric information, to ensure effective engagement.

The Office of the Privacy Commissioner received 100 submissions from a wide range of individuals, businesses, government departments and advocacy groups during the review of its biometrics position paper. Thanks to these submissions and analysis of evidence from New Zealand and overseas, we are looking to consult on a Code of Practice for Biometrics in the new year. To read our Summary of responses to August consultation click here or read our one page Summary here, and to read our media release click here.

October 2021 Position Paper

In October 2021 we launched a position paper on how the Privacy Act regulates biometrics.

Read the full paper here. 

Read a one page summary of key issues regarding biometric technologies and privacy here.

Back to top