Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Overview of Code rules

A white man with short, dark hair stands straight on to the camera. Four corners of a square surround his face as though being scanned by something. There are 13 rules in the Code. Each rule modifies or otherwise applies the corresponding Information Privacy Principle (IPP) from the Privacy Act. This is an overview of each of the rules. More detailed guidance along with examples can be found in the menu options on the left.

Read the full Biometric Processing Privacy Code.

On this page:

Rule 1: Purpose of collection

Rule 1 says you must not collect biometric information unless:

  • It is for a lawful purpose connected with your functions or activities,
  • It is necessary for that purpose,
  • You have adopted and implemented privacy safeguards, and
  • The risks and impacts on people, including Māori, from the biometric processing are proportionate to the benefit to you, the individuals or the public from the processing.

How do I demonstrate that a biometric system is necessary? 

Whether biometric processing is necessary for your lawful purpose depends on whether the processing is effective in achieving your lawful purpose, and whether you could reasonably achieve the same purpose as effectively by an alternative form of processing that has less privacy risk. The alternative could be non-biometric processing, or it could be a different kind of biometric processing.

In some cases, you may be able to run a trial to assess whether the biometric processing is effective and whether there is a reasonable alternative.

What are privacy safeguards?

Privacy safeguards are any action or process you take to reduce the privacy risk. Some examples of safeguards are ensuring the biometric system has been sufficiently tested and your staff are appropriately trained, but you need to consider what is relevant and reasonably practicable in your circumstances.

How do I assess whether my biometric system is proportionate? 

When considering whether the biometric processing is proportionate, you need to consider the degree of privacy risk, the cultural impacts and effects of the biometric processing on Māori, and whether the overall benefit is sufficient to outweigh the privacy risk and any negative cultural impacts on Māori.

Read the full guidance for Rule 1. | Back to top.

Rule 2: Source of biometric sample

You must collect biometric samples directly from the person whose biometric information it is.

There are some exceptions in rule 2 that allow you to collect biometric samples from other people, for example if the person authorises you to do so, if it is necessary to maintain the law, or if collecting it directly from the person would be prejudicial to that person or to the purpose of collection.

Read the full guidance for Rule 2. | Back to top.

Rule 3: Collection of information from individual (notification)

Rule 3 is about what you must tell people when you collect their biometric information. There are some things you need to tell people before or at the time you collect their biometric information, for example why you are collecting their information and if there’s a non-biometric option (the minimum notification rule). This information needs to be communicated to people in a clear and obvious manner.

There are also other things you need to tell people before you collect their biometric information, or if that is not possible, as soon as possible after you collect their biometric information. For example, the name and address of the organisation that is collecting the information.

You do not need to tell people the information in rule 3 again if you have already told them the same information on a recent previous occasion. There are also exceptions that in some cases allow you not to notify people. For example, if it would prejudice the purpose of collection.

Read the full guidance for Rule 3. | Back to top.

Rule 4 – Manner of collection of biometric information

You must only collect biometric information in a way that is lawful, fair and does not unreasonably intrude into the personal affairs of the person whose information you collect.

What is fair will depend on the overall circumstances and steps you take to obtain the information, including whether you are collecting information from children or young persons, what people’s reasonable expectations would be in the context, and whether you are upfront or mislead people.

Read the full guidance for Rule 4. | Back to top.

Rule 5 – Storage and security of biometric information

If you hold biometric information, you need to ensure that you protect the biometric information using security safeguards that protect against loss and unauthorised access, use, modification or disclosure of that information. The security safeguards you use need to be reasonable in the circumstances, which means it may change depending on what information you hold and why.

This rule also means you need to make sure only that the appropriate people within your organisation are able to access the biometric information. This guards against employee browsing and misuse. 

If you need to give someone access to the information so that they can provide a service for you, you must do everything reasonably within your power to prevent unauthorised use or unauthorised disclosure of the information.

Read the full guidance for Rule 5. | Back to top.

Rule 6 – Access to biometric information

Individuals are entitled to receive from an organisation, on request:

  • confirmation of whether the organisation holds any biometric information about them; and 
  • confirmation of the type of biometric information the organisation holds about them; and
  • access to their biometric information.

Organisations are required to give reasonable assistance to people who wish to make or are making a request for access to their biometric information. Part 4 of the Privacy Act outlines how organisations should respond to access requests and situations where an organisation may withhold information. 

Read the full guidance for Rule 6. | Back to top.

Rule 7 – Correction of biometric information

Individuals have the right to request that an organisation correct any biometric information it holds about that individual. This includes the right to request deletion.

Organisations do not have to correct information in the way that an individual requests. But, individuals have the right to give a “statement of correction” to an organisation that states how the individual wants their information to be corrected. The organisation must then take steps to ensure the statement of correction is attached to the biometric information so that it is always read with the information, and it must also tell any other person that it has disclosed the information to about the statement of correction.

Read the full guidance for Rule 7. | Back to top.

Rule 8 – Accuracy of biometric information

You must take reasonable steps to ensure that biometric information you use or disclose is accurate, up to date, complete, relevant and not misleading.

Read the full guidance for Rule 8.Back to top.

Rule 9 – Retention of biometric information

You must not keep biometric information for longer than is required for the purposes for which it may lawfully be used. You must delete or dispose of biometric information that you no longer need.

Read the full guidance for Rule 9. | Back to top.

Rule 10 – Limits on use of information

Rule 10 is about what you can use biometric information for. You can only use biometric information for the purpose it was collected for, unless an exception applies. For example, if the new purpose is directly related to the original purpose, or if the new use is necessary to prevent a serious threat to health or safety. 

Rule 10 has limits on using information an organisation holds for biometric processing (if the information was not collected in accordance with rule 1). 

Rule 10 also contains limits on biometric categorisation. These limits restrict using biometric information to categorise someone or infer sensitive traits unless an exception applies. For example, you must not use biometric processing to collect, obtain, create, infer or detect (or attempt to collect, obtain etc): 

  • health information,
  • personal information about a person’s personality, mood, emotion, intention, or mental state (except for information about a person's fatigue, alertness or attention level), or
  • information to categorise a person according to a demographic category that is a prohibited ground of discrimination under section 21(1) of the Human Rights Act 1993

There are exceptions to the limits on biometric categorisation. For example, if it is necessary to assist the person with accessibility or lessen a serious threat to public health. 

Read the full guidance for Rule 10. | Back to top.

Rule 11 – Disclosure of biometric information 

You must not disclose biometric information that you hold to another person or to any other organisation unless you have reasonable grounds to believe that one of the exceptions in rule 11 applies. Some exceptions are:

  • The disclosure of the biometric information is one of the purposes for which it was collected.
  • The disclosure is authorised by the person whose biometric information it is.
  • The disclosure is to avoid prejudice to the maintenance of the law or to lessen a serious threat to life or health.

Read the full guidance for Rule 11. | Back to top.

Rule 12 – Disclosure of biometric information outside New Zealand

You must not disclose biometric information to anyone outside New Zealand unless you have a valid ground to disclose under rule 11 and you have reasonable grounds to believe that one of the exceptions in rule 12 applies. Some exceptions are:

  • The disclosure is authorised by the person whose biometric information it is, after being expressly informed that it may not be protected overseas in the same way as it is in New Zealand.
  • The overseas person or organisation is subject to privacy laws that overall provide a comparable level of protection as the Code.
  • The overseas person or organisation is otherwise required to protect the information (for example, through a contract) in a way that overall, provides a comparable level of protection as the Code.

Read the full guidance for Rule 12. | Back to top.

Rule 13 – Unique identifiers

You may only assign a unique identifier that is a biometric template to an individual for use in your operations if that identifier is necessary to enable you to carry out your functions efficiently. 

You also may not assign a unique identifier to someone that you know is the same as the unique identifier that another agency has assigned to the same individual.

“Assigning” a unique identifier means that the identifier is used as the means of uniquely identifying an individual in the organisation’s systems to be able to bring up information the organisation holds about that person.

There are some other technical restrictions on the use of unique identifiers. 

Read the full guidance for Rule 13.Back to top.

Back to top