News

The Privacy Commissioner has announced his intention to issue a Biometric Processing Privacy Code of Practice and is calling for submissions on the draft Code.

Links to review documents

Read the Biometric Processing Privacy Code (opens to PDF, 200Kb) - we are seeking feedback on this.
Read our consultation document (opens to PDF, 563Kb) - we are seeking feedback on this.
Our draft Biometric Processing Privacy Code guidance (opens to PDF, 1.1MB) - we are seeking feedback on this.
Remind yourself of the history of our biometrics project.

NOTE: While our newly established OPC Māori Reference Panel have been provided with the Code consultation pack, they have not had input in to its development to date as a Panel. As part of this consultation, we will be seeking their views.

The Code has been assessed for consistency with the New Zealand Bill of Rights and other human rights obligations. Read the assessment by external legal counsel Ben Keith, barrister (opens to PDF, 182Kb).

Have your say on the major additional rules in the Code:

Should organisations assess whether using biometrics is proportionate, and be required to put in place privacy safeguards if they do use biometrics?
Should people know about the use of biometrics beforehand, and should organisations have to provide additional information about the processing?
Should there be limits on some uses of biometric information, like biometric emotion analysis and types of biometric categorisation?

RELEASE OF SUBMISSIONS: OPC will proactively release all submissions made on this statutory consultation and publish them on our website. We will not release your contact details or your name if you are a person submitting in a private capacity. If you don’t want your submission, or part of your submission, to be released publicly, please let us know and explain why you don’t want it published.

How we've responded to previous feedback

In response to other feedback we have now made the code clearer and simpler and written it to avoid unintended consequences. This includes:

Commencement period increased from 6 to 9 months (for existing biometric uses).
Reduced the number of definitions and made them less technical.
Clarified key definitions to make the code’s scope clearer – what activities are covered and what’s not.
Simplified the proposed notification rules.
Simplified and clarified the test for assessing whether biometrics is necessary and proportionate.
New provision for carrying out a trial of whether biometrics will be effective (up to 6 months).

The feedback we’ve gained, and our own analysis means we think the code will be workable and help ensure biometric technologies are used safely and fairly. But it’s important we get this right, so we want people to have a say on the proposed rules through a public consultation running through to 14 March.

Read the draft guidance

Draft guidance material has also been developed to help explain the rules, how the code would work and how to comply with it. We don't have guidance on every rule yet, just the rules that have significant changes compared to the Privacy Act (rules 1,2,3,6, and 10).

Our draft Biometric Processing Privacy Code guidance (opens to PDF, 1.1MB) - we are seeking feedback on this.

We acknowledge that our guidance is very long at more than 100 pages and have listed below the pages you'll find each rule on. You don't need to give feedback on every rule.

Rule number, pages, estimated reading time	Examples used
Introduction and what the Code covers (opens to PDF, 326Kb)	N/A
Rule 1 – Purpose of collection (opens to PDF, 479Kb) Pages 21-63 of the full guidance Estimated reading time 40 minutes	Examples include: Facial recognition to access an apartment building, Facial recognition at school for payment in cafeteria, Fingerprint scan to access secure information, Voice sample and behavioural biometrics.
Rule 2 – Source of biometric information (opens to PDF, 271Kb) Pages 63-74 of the full guidance Estimated reading time 9 minutes	Examples include: Facial recognition to allow entry to gym, Facial recognition to access an apartment building, Facial recognition in a gaming venue, Fingerprint access for Multi Factor Authentication, Voice sample and behavioural biometrics.
Rule 3 – What to tell people (opens to PDF, 338Kb) Pages 74-87 of the full guidance Estimated reading time 10 minutes	Examples include: Facial recognition to access apartment building, Fingerprint collection by employer for Multi Factor Authentication, Facial recognition at a gaming venue.
Rule 6 – Access to biometric information (opens to PDF, 233Kb) Pges 87-92 of the full guidance Estimated reading time 5 minutes	Examples include: Facial recognition to allow entry to gym, Fingerprint access for Multi Factor Authentication.
Rule 10 – Limits on use of biometric information (opens to PDF, 218Kb) Pages 92-99 of the full guidance Estimated reading time 10 minutes	Examples include: Employer use of biometrics to detect health information, monitor attentiveness and infer emotions, Research use of biometrics, Use of biometric categorisation at a gaming venue.
Appendix: Applying the code to example use cases (opens to PDF, 294Kb) Page 100-124 of the full guidance Estimated reading time 18 minutes	Examples include: Using facial recognition to verify customer identities, Using fingerprints in Multi Factor Authentication to protect sensitive information, Using facial recognition to control access to a dangerous worksite for health and safety purposes.

We encourage your feedback

We will keep the consultation period open until 14 March 2025 to ensure everyone has enough time to read and respond to our work. We encourage you to provide feedback on both the code and our guidance and ask any questions you have, email us at biometrics@privacy.org.nz

See the history of our work in biometrics.