Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 12: Transferring biometric information overseas

Three business people in dark suits at a table look at a laptop screen. Two are sitting and one stands. Rule 12 is about ensuring that biometric information is adequately protected if it is transferred to a person or organisation based overseas. The general principle is that biometric information must not be disclosed to anyone overseas unless there is protection comparable to that provided under this Code, or another exception applies.

Our existing guidance on sending information overseas is also relevant for rule 12. The key difference between rule 12 and IPP 12 in the Privacy Act is that rule 12 requires that biometric information be protected in a way that is comparable to protections set out in this Code, rather than those in the Privacy Act.

If your organisation already sends other types of personal information overseas under IPP 12, when assessing whether that overseas jurisdiction provides comparable protection for biometric information, particularly focus on the stricter requirements in rules 1, 3, 6 and 10 in the Code.

Consideration of Māori cultural perspectives, including principles of Māori data sovereignty, are also relevant to your assessment. Notably, rule 1 includes a requirement to consider cultural impacts on Māori, which forms part of the protections in this Code.

When Rule 12 applies

Rule 12 applies when you are disclosing biometric information to a foreign person or organisation to hold or use the information for their own purposes. It won’t generally apply if you are sending information overseas to be held by a third-party service provider solely for storage or processing on your behalf. For example, it wouldn’t generally apply if you have a contract with a third-party identity verification provider for new clients (and the third-party doesn’t use or disclose the identity biometric information for their own purposes).

Read more guidance on working with third-party service providers.

We have a decision tree for IPP 12 to help you work out if it applies to your disclosure. You can also use the decision tree to help assess whether rule 12 applies.

Rule 12 does not apply if:

  • The biometric information is being sent overseas to the person whose information it is.
  • The biometric information is publicly available and it is not unfair or unreasonable in the circumstances to disclose the information outside New Zealand. 
  • It is a third-party / agent situation, as described above.

When you can disclose biometric information overseas

The first step is to ensure you have a valid ground under rule 11 to disclose the biometric information.

Provided your intended disclosure is permitted under rule 11, you may disclose the biometric information to someone overseas if one of the following applies:

  • You specifically tell the relevant individual that the overseas person/organisation may not be required to protect their biometric information in a comparable way to the Code. After being informed of this, the individual authorises you to disclose their biometric information overseas. E.g. the individual chooses to opt-in to having their voice audio sent and held by the overseas business and on the understanding that it will help train their proprietary voice recognition algorithm.

  • The organisation is carrying on business in New Zealand and you believe on reasonable grounds that the overseas organisation is subject to the Code in relation to the biometric information i.e. if it is reasonable to believe that the Privacy Act and Code apply to the organisation receiving the biometric information, then the offshore disclosure is permitted.

  • You believe on reasonable grounds that the overseas organisation is subject to privacy laws that provide a comparable level of protection for biometric information as the Code.

  • You believe on reasonable grounds that the overseas organisation is required to protect the biometric information in a comparable way to the Code – for example, because of a contract between you and the overseas organisation. Our model contract clauses for IPP 12 can be a starting point for developing a contract, but you will need to adapt them for your use of biometric information and to ensure they are comparable to the Code. For example, by covering the rights of individuals to access confirmation of the type of biometric information held about them in rule 6, and the limits on biometric categorisation in rule 10.

There is also an exception in the Code that permits overseas disclosure if you believe on reasonable grounds that the overseas organisation is subject to privacy laws of a prescribed country or a participant in a prescribed binding scheme. However, as at July 2025 there are no prescribed countries or binding schemes. We will update the guidance if there are regulations made to prescribe any countries or binding schemes (the ability to prescribe countries or schemes is with the Governor-General, on recommendation from the Minister of Justice. OPC cannot prescribe countries or binding schemes).

Finally, in some limited situations (for example, if your overseas disclosure is necessary to avoid prejudice to the maintenance of the law or to avoid a serious threat to life or health), rule 12 will not apply if it is not reasonably practical in the circumstances to comply with this rule.

What does comparable protection mean?

Comparable protection doesn’t mean that the foreign organisation has to be subject to exactly the same requirements as the Code. But, you need to carefully assess whether any differences are significant.

The foreign organisation may not be subject to requirements that specifically deal with biometrics. If this is the case, you can check their general privacy obligations to make sure the general privacy obligations still provide comparable protection to the Code.

When considering whether the foreign organisation is required to protect the biometric information in a comparable way to the Code, you and your advisors should consider the following factors.

What is the scope of the overseas privacy law – does it:
  • Cover the foreign person or organisation (i.e. they do not fall within an exemption or carve-out under that law)?
  • Cover the biometric information that you provide?
  • Take account of the sensitivity of the information that you provide?
  • Specifically cover the people whose biometric information you have disclosed (who may not be citizens or resident in that country)?

Other relevant laws
  • Is the foreign person or organisation subject to any laws that are specific to biometrics, artificial intelligence (AI) or automated decision making (ADM)? How do those laws differ from New Zealand laws? Laws that are more privacy protective than the Code will clearly qualify as “comparable”.
  • For Māori biometric information, are there any laws or other protections that apply specifically to indigenous data?
  • Are there any laws covering general data fairness, accuracy, bias and discrimination requirements?

Protections

Will the foreign person or organisation:
  • Have security safeguards that are reasonable in the circumstances?
  • Dispose of the biometric information securely if they no longer need it?
  • Have limits on how they can use the biometric information? (see rule 10). This is particularly important if the foreign person or organisation may use the biometric information for biometric categorisation because of the limits in rule 10. These limits would impact whether there is comparable protection.
  • Have limits on how they can disclose the biometric information? (see rule 11 and rule 12 of the Code).
  • Be required to notify people about any privacy breach that may cause serious harm, and the relevant data protection body?

Right to access and seek correction of biometric information

Will people:
  • Have meaningful access to their own information? (including if they are not a citizen or resident of the country the overseas person or organisation is in.)
  • Be able to request a correction of their biometric information if they consider that it is incorrect?

Accessible and meaningful complaint processes
  • If something goes wrong, can the affected person make a complaint to a data protection authority?
  • Will it be simple and free for a person to access legal remedies?

Independent oversight and enforcement
  • Is there an independent data protection authority or Privacy Commissioner in the country that holds oversight, compliance, and enforcement functions broadly comparable to the New Zealand Privacy Commissioner?

You should seek legal advice as necessary to help you decide whether the overseas organisation is required to protect biometric information in an overall comparable way. Note that you may need to use model contract clauses to ensure that protections will follow the information once it is disclosed.

Read our example scenarios of how an organisation might apply rule 12 in context.

Back to top