Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

News

Print | Email this page

Biometrics report-back

New Zealand doesn’t yet have specific privacy rules for biometrics. We’ve outlined our proposal in an exposure draft biometrics code of practice under the Privacy Act 2020. Between 10 April - 8 May 2024 we asked New Zealanders to have their say on how that might work by reviewing our exposure draft and giving us feedback.

We think the information below will be most interesting to people that made submissions. Read more about biometrics and the history of our biometrics work.

This is what we heard

Almost every submission from members of the public told us that people were concerned about the use of biometrics in New Zealand. There was broad support for the proposed rules in the draft code.

People said they were especially concerned about

  • Surveillance.
  • Biometrics being used by government.
  • Private businesses using biometrics for commercial reasons at the expense of individual privacy.

Agency submissions came from diverse sectors

Agencies were generally supportive of the code proposals and for the three major modifications to the IPPs that we’d outlined.

Sometimes agencies agreed with us and sometimes they didn’t and opinions were split

Some submitters thought the current IPPs already catered for using biometric technologies and wanted us just to focus on developing guidance.

There were also clear themes in the feedback

Fair processing limits seemed fair
There was generally strong support for the three fair processing limits, which would restrict some uses of biometric classification. Some agencies helpfully gave constructive comments about exceptions and definitions.

Less complexity would be useful
Allowing for the fact that biometric processing is a technical topic, some submitters still thought the draft code it seemed overly complex. They thought it could be simplified and that we could revise the technical terms. This would make it clearer and more easily understood.

The notice requirements would need to be better signposted
There was support for somewhat stronger notification and transparency obligations, but agencies weren’t quite clear about the notice obligations as drafted. They also said that how we’d explained it seemed repetitive.

Clear, detailed guidance will be important
Another major theme was that agencies want guidance so that they can understand how to apply and comply with the rules. They want to be super clear about:

  • The application and scope of any proposed code – where it does and doesn’t apply.
  • Doing a proportionality test and putting in place the right safeguards.
  • Understanding what would be required for giving notice: what would that look like in practice?
  • How they could take cultural impacts and effects on Māori and other demographic groups into account if they’re using biometrics?

The private sector was worried about compliance burden
The private sector flagged risks around compliance burden and costs.

 

A note about guidance

If the Commissioner decides to proceed with a code of practice, we’ll provide draft guidance with the proposed code when we next go out for consultation. Our intent will be to help people understand the proposed code and get people’s feedback on that and the accompanying guidance material.

We also need to reconsider some of our policy decisions

Your feedback told us where we need to review the policy proposals. We’ll do that alongside our other work. That will include:

  • The broad exclusion for health agencies.
  • The exclusion of heartbeat biometrics (and how wearable devices are treated).
  • How long agencies are given to bring their activities into compliance with any new code.
  • Whether the components in the proportionality assessment will work well in real life.
  • Clearing up how notice requirements will work, what the benefit of them is, and a few other small matters.
  • Checking whether more exceptions may be necessary to make sure that any rules would be targeted at the high risk uses of biometrics, rather than the low risk beneficial uses of biometrics.

Thanks to everyone’s feedback, we will continue working on the proposals informed by the we’ve got clear direction about what may need to be changed or reworked, which is what we’ll do now.

Next steps

  • We will consider the detailed feedback in the submissions
  • We’ll do further work on the proposals based on the constructive comments we received. This will include technical definitions and drafting points..
  • We’ll develop draft guidance to help explain the technical nature of biometrics and the proposed privacy rules.

Read the full report on submissions we received about an exposure draft of a biometrics code.

The Privacy Commissioner expects to announce his decision on whether he will go ahead with issuing a biometrics code of practice for statutory consultation, later this year.

If you want to contact us about this work please email biometrics@privacy.org.nz

Back to top