Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Focus areas

Print | Email this page

What is the Biometric Code?

The Biometric Processing Privacy Code outlines the privacy rules that regulate how business, organisations and government collect and use people’s biometric information using biometric technologies to verify, identify or categorise them. 

The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate. 

When will the Code apply?

The Code comes into force on 3 November 2025, but businesses and organisations already using biometrics have until 3 August 2026 (12 months from the Code’s publication), to align themselves with the new rules. 

What is biometric information?

Biometric information is sensitive personal information relating to someone’s physiological and behavioural characteristics (e.g. face, gait, voice). The Code would cover the collection and processing of this information to recognise or people using technologies like facial recognition technology. 

Key rules in the Code

When it comes to biometric information, the 13 rules of the Code substitute for the 13 principles of the Privacy Act. The new obligations are: 

  • Effectiveness and Proportionality: assess the effectiveness and proportionality of using biometrics – is it fit for the circumstances
  • Safeguards: adopt safeguards to reduce privacy risk
  • Transparency: tell people when and why a biometric system is in use, before or when their biometric information is collected along with other important information  
  • Safe limits: highly intrusive uses of biometrics, like emotion prediction, attention tracking or inferring sensitive information (e.g. ethnicity or sex), are only permitted in certain situation, such as if necessary for aiding people with disabilities, keeping people safe, or research purposes.  

How are the rules in the Code enforced?

Once in force, OPC will monitor compliance with the Code. We can investigate complaints from people about breaches of the rules of the code if they have experienced privacy harm from the use of their biometric information.  We can also take proactive compliance action if required.

We take compliance action in line with our compliance framework which is published on our website – we decide to act based on several factors including the public interest, the seriousness of the breach, the risk of harm to people and the conduct of the agency.

Where can I find more about how the Code will work?

Guidance has being issued to support the Code. The guidance is very detailed and explains how we see the Code working in practice. It also sets out examples so agencies using or planning to use biometrics can better understand their obligations. 

Our guidance is a starting point; agencies still need to do their own thinking and seek advice to understand their own situation and how they are using or plan to use biometrics. 

Download a copy of this information (opens to PDF, 165KB).

Back to top