Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 3: Tell people about the information you collect

Rule 3 is about being open with people about why you are collecting their biometric information and what you will do with it. 

What you need to tell people

There are several things you need to tell people if you are collecting biometric information. You need to take the steps that are reasonable in your circumstances to make people aware of the matters below. That means that you can take account of the type of interaction and relationship that you have with affected individuals.

What you need to tell people

Guidance or example

The fact that biometric information is being collected.

Tell people you are collecting biometric information and specify exactly what kind of information you are collecting.

Consider expressing it in non-technical terms if this will help people understand e.g. say “a scan of your fingerprint” not “a biometric sample”

Each specific purpose for which the biometric information is being collected.

Tell people why you are collecting their information.

Your purpose should be specific enough so the individual can understand what their information is being used for e.g. “to detect when individuals on a watchlist enter our premises and monitor their actions”, not “for business use” or “for general security”.

If there is an alternative option that is available.

Be clear on how people can access the alternative process. Ensure the information about the alternative is clearly visible and accessible.

You only need to tell people about any alternative option that you actually have available to use – not any possible alternative you may have considered as part of your rule 1 assessment. For example, if people can use a swipe card instead of FRT to access a site, tell people this and tell them how to access the alternative option.

Read more about alternative options.

The intended recipients of the biometric information.

Let people know who will have access to their biometric information. For example, if you are collecting information on behalf of someone else or you have an obligation or reason to share the information with someone outside your organisation who will use the biometric information for their own purposes. 

The name and address of who will collect and hold the biometric information. 

Give people the contact details that you would like them to use if they have any questions about biometric information. 

If there is a specific law that requires or allows you to collect, use or disclose the biometric information, what that law is and whether the individual has a choice to provide the information.

If there are multiple laws that could apply, you can just list the most relevant law.

Laws that apply can include New Zealand law (including an authorised information sharing agreement), or the laws of another country.

What happens if the person doesn’t provide their biometric information.

E.g. will they immediately lose access to services? Will it be all services or just some? Will they have to provide other information?

That the person has a right to request to access and correct their biometric information, and that people have the right to complain to the Privacy Commissioner about any action that the Code applies to.

See our rule 6 and rule 7 guidance for more information about access and correction requests.

Read more about submitting a complaint.

A summary of your retention policy for biometric information.

Provide information about how long you will keep the person’s biometric information for. This could be a time period (e.g. 5 years to meet a specific legal obligation) or what circumstances trigger deletion (e.g. if a customer requests to delete their account). 

How the person can raise a concern or complain about how their biometric information is handled.

If you expect people to follow a particular process to raise a concern or complain to you (e.g. using a specific form), you should make that process easily available to them.

If your proportionality assessment under Rule 1 is either publicly available or available on request, where and how the person can view it.

It is not mandatory to make your proportionality assessment publicly available or available on request, but it is good practice to do so, especially if you are a government agency or a provider of an essential service.

If you are running a trial, that you are running a trial and how long it will go for.

See our trial guidance for more information about running a trial.

When you need to tell people

Some matters in rule 3 must be conveyed to individuals before or at the time you collect biometric information. We call this the “minimum notification rule”. The minimum notification rule matters are:

  • The fact that the biometric information is being collected.
  • Each purpose for which the biometric information is being collected.
  • Whether there is any alternative option to biometric processing that is available. 

For the minimum notification rule, you must communicate in a “clear and conspicuous” way. You must also include a location, address or other method for people to obtain further information about the biometric processing.  

Clear and conspicuous

Clear and conspicuous means information should be obvious, accessible and easy to understand.

For example, you could:

  • Ensure any signs or website content are large enough to draw people’s attention, easy to read, distinguishable from other signs e.g. promotional signs, and placed apart from other signs so that the biometric information isn’t lost among all the other information.
  • Ensure verbal or audio notices (e.g. given by staff or prerecorded) are clear, easy to understand and that they let people know where they can access further information. 
  • Create a specific web page if there is a lot of information that needs to be provided, or place information under clear headings if it is part of a larger document. 
  • Require people to scroll through information before they can tick a box to confirm they have read it.

Example: Clear and conspicuous

Biometric information is set apart from other information (such as promotions) and is large enough to easily notice and read.

A graphic shows a person standing in front of a wall with posters on it. The poster labelled Biometric information is large and positioned at eye-height, and the other two posters on the wall are not covering it. A large green tick to the right shows that this is a good display of Biometric information.

Example: Not clear and conspicuous

Biometric information is partially covered by or not sufficiently set apart from other information and is not large enough to easily notice and read.

A graphic shows a person standing in front of a wall with posters on it. The poster labelled Biometric information is smaller, lower, and partially covered by the other two posters on the wall. A large red x to the right shows that this is not a good display of Biometric information.

A graphic shows a person standing in front of a wall with posters on it. The poster labelled Biometric information is surrounded by a lot of other posters and is smaller than most of them. A large red x to the right shows that this is not a good display of Biometric information.

For all other matters in rule 3, you must inform individuals of those matters before collecting their biometric information, or if that is not practicable, as soon as practicable after collecting their biometric information. 

While it is not required that the other matters be communicated in a clear and conspicuous manner, you still need to take reasonable steps to ensure the individual is aware of the matters. This requires you to consider how the information is presented and communicated.

You may not need to tell people repeatedly

You do not have to inform an individual of the matters in rule 3 if:

  • you have already informed them of the rule 3 matters on a recent previous occasion, and
  • the information you are collecting is the same or the same kind of information (for example, you are collecting facial images for FRT on each occasion), and
  • you are collecting it for the same purpose as the recent previous occasion. 

What is considered a “recent previous occasion” will depend on the overall circumstances. How likely is it that the person may have forgotten about the collection of their biometric information and what their rights are? You should consider:

Are you enrolling a person in a biometric system or collecting their information subsequently? 

Enrolling a person in a biometric system will warrant full notification but it may not be necessary on subsequent times the person uses that system e.g. an employer who has set up a MFA system that uses fingerprinting does not need to notify the employee each time the employee scans their fingerprint post enrolment.

How often do you collect biometric information from the person? 

For example, if you are collecting the same biometric information from the same person for the same purpose every week, we don’t expect that you to tell them about the rule 3 matters each time. 

How are you telling people about the rule 3 matters?

If you are telling people through a one-on-one conversation with a staff member, this probably wouldn’t require as many reminders compared to using signage which should be continually present.

How is the biometric information collected? 

Is it obvious each time biometric information is collected – e.g. the person scans their fingerprint or stands in front of a specific camera? In that case, it may be appropriate for there to be a longer period between when you inform the individual of the rule 3 matters. If it is less obvious to the individual each time their information is collected – e.g. the person simply has to enter a general area for their biometric information to be collected – then it will generally be appropriate to inform people more frequently.

In any case, if you change the information or kind of information you collect, or you change the purpose for which you are collecting the information, you will need to inform the individual of those changes.

The requirements in rule 3 are specific to each person whose information you collect. If you are not sure whether you have informed someone on a recent previous occasion (for example, because you do not collect a record of when you inform each person or because you do not know what is “recent” in your context), then you need to consider whether you should inform the person of all the rule 3 matters each time you collect their information. 

Example: A business uses voice biometrics in its call centre to verify customer ID. The business informs all callers about the minimum notification rule matters at the start of the call, and then once the customer’s ID is verified, the call centre can assess whether the customer needs to be told about the other rule 3 matters, or whether they were informed on a recent previous occasion.

How to tell people

You must take reasonable steps to ensure individuals are aware of the matters outlined in rule 3. In general, we encourage you to:

  • Use plain language. If you refer to technical concepts, you should explain them in a way someone without technical knowledge will be able to understand.
  • Consider the accessibility of your content for people with disabilities.
  • Consider the primary language of the people whose information you are collecting. 
  • Consider translating materials into other languages if necessary, especially if your use of biometrics is high risk and you know that many people will need translated materials to understand the information. See our guidance on rule 1 for more information on assessing risk. 
  • Consider how the information is presented visually – design, timing and placement of information can make a big difference to whether people will see it and understand it.
  • If you are providing information to people verbally, it’s a good idea to have the information in writing as well, so that you can supply a copy if people need it.

What exceptions apply?

There are some situations in which you will not have to inform individuals of the rule 3 matters. These situations are outlined below. In each case, you need to have reasonable grounds for why you believe the exception applies.

Exception to rule 3

Note on when the exception applies

Not complying with rule 3 is necessary to avoid prejudice to maintaining the law (including in relation to court proceedings), enforce specific laws, or protect public revenue.

This exception might apply where a public sector agency is collecting biometric information from an individual as part of an investigation of a possible offence, and informing the individual could prejudice the success of the investigation.

If informing the person would prejudice the purposes of the collection.

There must be a clear link between informing the individual of the rule 3 matters and how it will prejudice the purposes of collection. E.g. if you monitor a user’s behavioural biometrics as an anti-fraud measure and it appears that a possible unauthorised user is accessing the account, you wouldn’t have to notify the unauthorised user.

As with all exceptions, if you are collecting information from multiple individuals, you need to ensure that the exception applies to each individual.

If the biometric information will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

It is not enough to simply remove someone’s name or someone’s face from their biometric information. 

If you are publishing the information, you need to consider if the audience has any knowledge that could help them identify an individual.

Read more guidance on what makes a personal identifiable.

While it is not necessary to comply with rule 3 in these circumstances, if you are using biometric information for statistical or research purposes, it will usually be good practice to still provide individuals with information on the rule 3 matters.

Read our example scenarios of how an organisation might apply rule 3 in context.

Back to top