Privacy Act 2020

About the code

The Biometric Processing Privacy Code 2025 (BPPC) was issued on 21 July 2025.

The BPPC came into force on 3 November 2025, but agencies already using biometrics have a nine-month grace period to move to the new set of rules. That transition period ends on 3 August 2026.

The BPPC, made under the Privacy Act, sets out the privacy rules for organisations and businesses who collect and use people’s biometric information in biometric processing.

Biometric processing is the use of technologies, like facial recognition technology, to collect and process people’s biometric information to identify them or learn more about them.

Biometric information relates to people’s physical or behavioural features. For example, a person’s face, fingerprints, voice, keystroke patterns, or how they walk.

In March 2026 we issued Amendment No 1 to the BPPC to reflect new Information Privacy Principle 3A (IPP3A).

Read the full Code

Biometric Processing Privacy Code 2025 (in force from 1 May 2026; opens to PDF, 396 KB)

Guidance about biometrics

We have full and detailed guidance for agencies wanting to use biometric technologies. Read the guidance and use case examples in our Resources and Learning section.

Read our summary factsheets

Biometric Processing Privacy Code 2025 Amendment No.1

The Privacy Amendment Act 2025 introduced IPP3A, which is in force from 1 May 2026. In March 2026, following consultation on how to reflect IPP3A in codes of practice, the Privacy Commissioner made changes to several of our codes. You can find more about those changes, including any amendments or submissions specific to this code, below:

Prior versions

Biometric Processing Privacy Code 2025 (August 2025, PDF, KB)