Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Privacy Act 2020

Print | Email this page

Factsheet 4: Disclosure of biometric information

Download a copy of this factsheet (opens to PDF, 253KB).

Disclosure of biometric information – Rule 11 and Rule 12

This fact sheet covers:

  • Rule 11: disclosure of biometric information
  • Rule 12: disclosure of biometric information overseas

This factsheet provides a summary of our guidance on rules 11 and 12. See the full guidance for more information. (insert link to full guidance)

Rule 11: disclosure of biometric information

Rule 11 is about disclosing (sharing) biometric information. Organisations must not disclose someone’s biometric information to any other person or organisation unless they have valid grounds for the disclosure. 

When you can disclose biometric information

An organisation can disclose biometric information if they believe on reasonable grounds that one of the exceptions in rule 11 applies. For example:

  • One of the reasons you collected the information was to share it (and you told people that you were going to share it – see rule 3).
  • The person whose information it is authorised you to share it.
  • Disclosure is necessary to avoid endangering someone’s health or safety.

“Believing on reasonable grounds” means the organisation must have a good reason or justification for why they think an exception applies.

If another piece of law expressly authorises or requires the organisation to disclose the information, the organisation can rely on that other law to disclose the information.

Rule 12: transferring biometric information overseas

Rule 12 is about ensuring that biometric information is adequately protected if it is transferred to a person or organisation based overseas. 

When can an organisation transfer information overseas?

An organisation may only transfer biometric information outside New Zealand if they check that the receiving organisation meets one of the below criteria:

  • The receiving organisation is subject to the Biometrics Code because they do business in New Zealand.
  • The receiving organisation will adequately protect the information, e.g. because the disclosing organisation is using model contract clauses that set out comparable protections to the Code.
  • The receiving organisation is subject to privacy laws that provide comparable protections to the Code.

If none of the above apply, an organisation may only make a cross-border disclosure with the authorisation of the person whose information the organisation wants to disclose.

We have a decision tree for IPP12 to help organisations figure out if the obligations apply and how to comply. This will also be helpful for complying with rule 12.

What does comparable protection mean?

Comparable protection doesn’t mean that the foreign organisation has to be subject to exactly the same requirements as the Code. Organisations need to consider the overall level of protection for biometric information and assess whether these protections adequately protect the biometric information in a way that is comparable to how the biometric information would be protected in New Zealand.

Rule 12 won’t apply in some situations

Rule 12 generally won’t apply if the organisation is sending biometric information overseas to be stored or processed by a third-party service provider e.g. a third-party identity verification service based in Australia. See our third-party provider guidance for more information.

Where to go for more information

Back to top