Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 11: Disclosure of biometric information

A man and a woman shake hands in an office setting. Rule 11 is about disclosing (sharing) biometric information. You must not disclose any biometric information to any other person or organisation unless there are valid grounds for that disclosure.

If you are disclosing biometric information overseas, you also need to comply with additional requirements in rule 12.

Note that sending biometric information to a third-party to hold, store or process solely on your behalf, where that third-party will not use or disclose the biometric information for their own purposes, is not considered a “disclosure”. Read our guidance on working with third-parties for more information.

Sharing provisions in other legislation

Disclosing biometric information may also be permitted under other legislation. If another piece of law specifically authorises or requires you to disclose the biometric information, the rule 11 restriction on disclosure will not apply.

Other legislation may also have tighter restrictions on the disclosure of biometric information than rule 11. If another piece of law specifically restricts the disclosure of biometric information, that law takes precedence.

Exceptions: When you can disclose biometric information 

You can disclose biometric information if you believe, on reasonable grounds, that one of the below exceptions applies.

What does believe on reasonable grounds mean?

All the exceptions require you to have a reasonable belief that the exception applies.

A reasonable belief requires more than just suspecting something might be the case – you must have some evidence for why you think an exception applies. You should keep a written record of why you believe the exception applies. This can be done in advance – for example, your Privacy Impact Assessment (PIA) could outline common times you will share information and which exception would apply. But you must still have a reasonable belief that a relevant exception applies, each time you disclose biometric information.

If you aren’t sure whether an exception applies, you must not rely on that exception. If no exception applies, you must not disclose the biometric information. Sometimes, more than one exception may apply to your situation. You should still record the reasons for relying on each exception.

Rule 11 Exceptions

Some of the rule 11 exceptions (for example, avoiding prejudice to the maintenance of the law), are also exceptions in other rules. The same general guidance for those exceptions applies to the exception in each rule.

Exception

When the exception applies

Disclosing the information is one of the purposes that the information was obtained for, or it is directly related to that purpose.

Exception may apply:

  • You need to share the biometric information to achieve your lawful purpose (and you told people you may share their information under rule 3, unless a rule 3 exception applied) e.g. you are collecting information to detect fraud, and if you detect fraud you will pass information on to other agencies who need to know about the fraud to investigate or take action.

Exception would not apply:

  • The disclosure was not one of the purposes for collection, but you think it would be convenient or useful for you to disclose the information to another organisation.

You are disclosing the biometric information to the person whose information it is.

Exception may apply:

  • You disclose someone’s biometric information directly to them e.g. you give a copy of a biometric sample, like a voice recording that was used for verification, directly to the person.

Exception would not apply:

  • You provide the information to a relative of the individual and request they pass it on to the relevant individual. (But see the next exception if the individual has authorised the disclosure to their relative).

The individual authorises you to disclose the biometric information.

Exception may apply:

  • The individual has authorised you to disclose their biometric information, after you’ve given them all the necessary information so they understand why you want to share their biometric information and with which people or organisations it will be shared.

Exception would not apply:

  • You haven’t provided all the information the individual needs – for example, you didn’t explain who you will disclose the biometric information to, or why.
  • You are aware that someone has pressured, coerced or threatened the individual into authorising the disclosure. 

The information was collected from a publicly available publication, and it is not unfair or unreasonable in the circumstances to disclose it.

Exception may apply:

  • You are disclosing biometric information you collected from a public register e.g. a public picture, and there are no specific circumstances that make it unfair to disclose it.

Exception would not apply:

  • You are disclosing biometric information you collected from photos on social media that required you to have additional permission to view the photos (such as being a friend or a follower of the social media account, which would mean the information is not publicly available).
  • The information was collected from a publicly available source, but it would be unfair or unreasonable to disclose it in the circumstances e.g. because it is a child’s biometric information, or the disclosure is likely to negatively impact the relevant individual without any reasonable justification.

It is necessary to avoid prejudice to maintaining the law.

Exception may apply:

  • Disclosure upon request: A public sector agency is investigating an offence and requests you disclose all biometric information collected on a certain day, and the request follows all other relevant laws that apply to requesting or obtaining the information.
  • Proactive disclosure: There is an urgent or exceptional situation, where it is necessary to disclose biometric information to another organisation to avoid a likely risk that a relevant law enforcement agency function would be prejudiced (e.g. to be able investigate serious offending). 

Exception would not apply:

  • The organisation you disclose the information to cannot take relevant action to avoid prejudice to the maintenance of the law e.g. a potential crime has been committed and you disclose information to another organisation that does not have law enforcement responsibilities.

Read further guidance on this exception in the Privacy Act.

Disclosing the information is necessary to prevent or lessen a serious threat to public health, public safety, or the life or health of any individual.

Exception may apply:

  • There is an imminent and serious threat to someone’s safety, and disclosing biometric information you hold (not necessarily about that person) will help the organisation receiving the information respond to and address that threat. For example, disclosing a biometric sample is necessary to urgently locate an individual at serious risk of harm to themselves or others.

Exception would not apply:

  • There is a serious threat to someone’s safety, but disclosing the biometric information will not help prevent or lessen that threat.

Read further guidance on this exception in the Privacy Act.

The disclosure is necessary to enable an intelligence and security agency to perform any of its functions.

Note: “intelligence and security agency” is defined in the Privacy Act. It means the New Zealand Security Intelligence Service (NZSIS) and Government Communications Security Bureau (GCSB).

Exception may apply:

  • You are complying with a lawful request from the NZSIS or GCSB to disclose biometric information.

Exception would not apply:

  • You want to disclose the information to a private security agency (not the NZSIS or GCSB).

The individual will not be identified when the information is used, or the biometric information will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

Exception may apply:

  • You are disclosing people’s biometric information as part of publishing a research study and only information that will not identify anyone will be published.

Exception would not apply:

  • You have removed someone’s name or their face from their biometric information, but they can still be identified in other ways.
  • The audience of a publication may have additional knowledge to help them identify an individual in the research.

Read more guidance on what makes a person identifiable. While you can rely on an exception to rule 11 in these circumstances, if you are disclosing biometric information for statistical or research purposes, it will usually be good practice to still obtain the relevant individual’s authorisation where possible.

The disclosure is necessary to facilitate the sale or other disposition of a business as a going concern.

Exception may apply:

  • You are selling your business as a going concern (i.e. the company will continue to operate / remain in business after it is sold).

Exception would not apply:

  • A potential purchaser is interested in the biometric information you hold but disclosing it is not necessary to facilitate the sale.
  • You are selling shares in your business but not selling it as a going concern.

Read our example scenarios of how an organisation might apply rule 11 in context.

Back to top