New Zealand now has a dedicated privacy code regulating the automated processing of biometric information – the sensitive personal information that relates to a person’s physiological and behavioural characteristics. As we’ve written about before, the Office of the Privacy Commissioner (OPC) considers this sort of information particularly sensitive as it relates directly to a person’s image and characteristics, which are tied to a person’s identity and difficult (sometimes impossible) to change.

The Biometric Processing Privacy Code 2025 (the Code) was issued by the OPC on 6 August 2025 and brings New Zealand more in line with comparable jurisdictions like the EU and Australia.

We were closely engaged with the development of the Code from the start, making detailed submissions on both the exposure draft and the consultation draft, along with the consultation draft of the accompanying guidance. We are pleased to see that many of our recommendations have been adopted by the OPC, including allowing for trials and extending the transition period for organisations already using biometric processing to 12 months.

Here are some significant features of the Code that organisations should be aware of.

Trials

The Code now includes a trial mechanism, which allows for trialling new biometric technologies where there is no evidence that it will be effective in achieving the organisation’s purpose. In this final version of the Code, the trial parameters have been extended so that organisations can trial to assess both the effectiveness of the biometric system and whether there are reasonably achievable alternatives that are as effective but with less privacy risk, which is a positive development.

Under the Code agencies still need to show proportionality before being allowed to run a trial and, as the OPC’s own guidance points out, effectiveness and proportionality are inextricably linked. For example, the guidance says:

The better the biometric system works, the greater your benefit

‍The benefit is related to how effective your biometric processing is in achieving the intended purpose – the more effective a biometric system is at doing what it was set up to do, the greater the benefits produced. The reverse is also true, less effective or unfit systems will provide fewer benefits, and it will be harder to determine that they are proportionate.

As effectiveness is one of the criteria that feeds into the assessment of proportionality, we were concerned (and submitted) that agencies would not be able to properly assess proportionality (to meet the other requirements of rule 1(1) of the Code) without first knowing the degree of effectiveness.

The guidance on the Code now includes a new section discussing how agencies can meet the proportionality requirement if they are running a trial to assess how well a biometric system works. The OPC acknowledges that agencies “may not know in advance exactly how beneficial using biometrics in your context is, until after the trial is complete”. The new guidance is then that:

• The Code requires that organisations have “reasonable grounds” to believe that the biometric processing is proportionate.

• That threshold (belief on reasonable grounds) is “flexible depending on the circumstances”.

• Therefore, if an organisation is thinking about conducting a trial of a biometric system, it needs to believe – with good reason – that the trial is a proportionate course of action.

• The OPC expects there to be a reasonable and objective basis for the organisation’s belief that – at the end of the trial – there will be a benefit that outweighs the risk, assuming that the trial demonstrates that the system is sufficiently effective.

While it is a positive development that the OPC has now provided this guidance – and seems to be indicating that the OPC intends to take a pragmatic approach to the issue in practice – the Code itself has not been changed, so there is still some uncertainty around how organisations can meet the requirement that their biometric processing use case is “proportionate” without knowing whether it is effective in achieving its purpose. We would always recommend that organisations take legal advice to assess whether they can (or need to) trial their specific biometric processing use case, and how they should conduct that trial.

Reasonable and effective alternative with less privacy risk

The Code now clarifies that when an organisation is assessing whether its biometric processing is necessary, it can look at whether it can reasonably achieve its purpose “as effectively” through an alternative means with less privacy risk. The guidance previously clouded the issue by suggesting the alternative didn’t need to be as effective to be viable, which could have been a significant barrier to implementing any biometric solution in practice, so this change is welcome.

Proportionality

Organisations should note that the proportionality assessment under rule 1 of the Code is layered and complex – the OPC’s guidance on that one element covers some 12 pages. This assessment needs to be made right at the point of determining the lawful purpose for collection of the biometric information, which is a fundamental change to the current operation of the Information Privacy Principles under the Privacy Act 2020.

The proportionality analysis is key (and the OPC’s guidance is heavily skewed away from organisations justifying biometric processing under the Code by reference to commercial benefits) so organisations should take legal advice on this point early.

Cultural impact on Māori

A significant feature of the Code is the requirement to consider the cultural impact and effects of the biometric processing on Māori as part of the proportionality assessment, which is not required under the equivalent Information Privacy Principle in the Privacy Act. Cultural impacts could arise from different cultural perspectives on the biometric processing (e.g., by reference to tikanga Māori), or because of the different impact the biometric processing has on Māori (e.g., because of bias in the biometric system that discriminates against Māori).

Organisations will need to make a reasonable effort to assess what the cultural impacts and effects on Māori could be from the biometric processing and then consider whether and how to address them. What this requires in practice will change depending on the specific use case and context. While consultation with Māori is not specifically required under the Code, the OPC says that organisations should consider whether to engage with those Māori whose information will be collected to gather their views. Tikanga Māori and the principles of Māori data sovereignty should also be considered, along with any risk of discrimination and bias against Māori that arises from use of the specific biometric system.

The OPC’s guidance highlights that “free, prior and informed” consent to biometric processing is an “important principle underlining Māori data sovereignty” and needs to be considered as a cultural impact – if there is no genuine alternative to the biometric processing available to individuals, then consent is not free, prior and informed and this could be an adverse cultural impact on Māori. So, while consent is still not a mandatory requirement under the Code, where there is no genuine alternative to the biometric processing available, agencies will need to consider their proportionality assessment both from the perspective of general privacy safeguards and from the perspective of addressing cultural impacts and effects on Māori.

A failure to address any identified cultural impacts and effects may make the biometric processing less proportionate, so agencies will need to invest in this area and should expect to undertake consultation with Māori. Organisations that don’t have the internal expertise to make these assessments will need to consider whether it is appropriate to engage external advisers to provide cultural advice.

Retrospective application of the Code

Rule 10 of the Code governs the situation where an organisation wants to start biometric processing on personal information it has previously collected (e.g., using facial recognition technology on an archive of CCTV footage) or wants to use biometric information for a different type of processing than it was collected for (e.g., changing from using a biometric verification system to using a biometric identification system).

Rule 10 requires those organisations to first assess necessity, proportionality and what safeguards would be appropriate before adopting new biometric processing or a different type of biometric processing. This ensures consistency with the controls in rule 1 of the Code. However, what is less clear is how the remainder of the Code is to be applied in practice – presumably once rule 10 is invoked, the personal information already collected then becomes “biometric information” under the Code (although this is not expressly stated). For example, rule 3 of the Code includes a minimum notification obligation that must be satisfied “before or at the time” the biometric information is collected, which cannot be satisfied by agencies relying on rule 10. There is also no guidance on what would constitute reasonable notification in a rule 10 context.

Because the retrospective application of the Code is somewhat unclear, it’s important that organisations take legal advice on their specific use case to ensure compliance.

If you have any questions about the Code and how it impacts your organisation, don’t hesitate to contact us.