Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Who and what does the Code apply to?

An Asian woman wearing glasses, shown from the shoulders up, looks directly at the camera. There is a red laser line running vertically down one side of her face, and another horizontally across her eyes, as though her face is being scanned. The Code applies to biometric information as a class of information and to the activity of biometric processing by a biometric system.

On this page: 

Who does the Code apply to?

The Code applies to all organisations - businesses, government agencies, NGOs - that collect biometric information for biometric processing (with limited exceptions). “Agency” is the term used in the Privacy Act, but we’ve used the term “organisation” in this guidance. Agency is defined in section 4 of the Privacy Act.

See “What does the Code not apply to” for more information.

Biometric information

Biometric information is information about a biometric characteristic that is used for the purpose of biometric processing by a biometric system. Biometric characteristic includes: 

  • A person’s physical features e.g. their face, fingerprints, or iris.
  • The way a person typically moves or acts with their body, e.g. the distinctive way a person walks, writes or types.
  • A combination of physical features and how a person typically moves parts of their body, e.g. how a person sounds when they speak (the way a person sounds is due to both the shape of the vocal cords and throat and the distinctive way they use these structures to speak, producing accent, intonation, rhythm and speaking speed). 

Biometric information also includes: 

  • A biometric sample, which is a record (either non-digital or digital) of an individual’s biometric characteristic e.g. a physical or digital photo of a face, a scan of a fingerprint or a video of someone’s gait when they walk. (These records are biometric information if they are used, or intended to be used, for biometric processing by a biometric system).
  • A biometric template, which is a representation of information extracted from a biometric sample e.g. how an algorithm recognises and analyses the information in a biometric sample.

Biometric information does not include any information about an individual’s biological or genetic material (e.g. blood or DNA), brain activity or nervous system.

Some common types of biometric information

There are many different types of biometric systems and possible uses for biometric information. Some of the most common types of biometric information/biometric systems are:

  • Face images (e.g. as used in facial recognition technology (FRT) or age estimation). 
  • Eye scans (scanning the iris, retina and/or sclera).
  • Fingerprint and/or palm print scans (can also include information about the surfaces of the hand itself).
  • Gait analysis (how someone walks, e.g. stride length and speed).
  • Keystroke log (how someone types, e.g. the time taken on a sequence of keys, the rhythm of keystrokes).
  • Pattern of device use / touch screen interaction (the way you use a smartphone e.g. the distinctive position, pressure and speed of someone’s fingers when they swipe, scroll or tap)  
  • Voice audio (how someone sounds when they speak).

Biometric system

A biometric system means a computer- or technological-based system that is used for biometric processing. It includes any related devices and components needed to carry out the processing, such as cameras, scanners, comparison algorithm and tokens e.g. the FRT system used for border control uses ePassports (token) and eGates (camera and comparison process). 

A biometric system typically uses both hardware and software elements to calculate an outcome (comparison score / match) or control a process (facilitate access) and may involve human input, assistance or oversight. 

It does not include a system that relies solely or primarily on human analysis i.e. a purely manual system.

The key question is who or what is analysing the biometric information? If the analysis is being performed by the biometric system, then it will be included within the definition and subject to the Code. But if the analysis is solely or primarily done by a human, then it won’t fall within the definition and won’t be subject to the Code. If it is not subject to the Code, it will still be subject to the Privacy Act.

Examples of biometric information covered by the Code

Examples of information not covered by the Code

A photograph of someone’s face that is being used in a facial recognition system (also called FRT).

A photograph of someone’s face which you are using in an internal newsletter.

Footage of someone walking that will be analysed by a biometric system to identify the person by their gait.

Footage of someone walking from a CCTV system that will not be processed in a biometric system

A recording of someone’s voice which will be analysed by a biometric system to identify that person.

A recording of someone’s voice that is not analysed by a biometric system e.g. a recording of a call taken for record-keeping purposes.

Information about someone’s mood which you learn about through analysis by a biometric system.

Information about someone’s mood which you learn about through the person taking a survey.

Numerical information extracted from an image of someone’s face to represent their features (biometric template).

A DNA or blood sample.

Biometric processing

Biometric processing means comparing or analysing biometric information, using a biometric system, to either verify, identify or categorise a person. 

Biometric processing covers:

Biometric verification is the automated verification of an individual’s claimed identity. It involves comparing a person’s biometric information with other biometric information that has been previously associated with them (e.g. previously enrolled in the system or in an identity document) to confirm whether they match (i.e. are sufficiently similar). It asks the question “Is this person who they say they are?”. Verification is often used as a security measure to protect personal information or prevent fraud e.g. when someone uses an electronic passport gate at the airport. Verification is sometimes called one-to-one (1:1) matching.

Biometric identification is the automated recognition of a person’s biometric characteristic (e.g. face, fingerprints etc) to identify them by comparing their biometric information against the biometric information of multiple people held in the system. It asks the question “Is this person on the database?” or “Do we know this person?”. Identification is used to identify people who are allowed to enter a space and facilitate access to that space, or law enforcement might use it to identify persons of interest on a watchlist. Biometric identification is sometimes called one-to-many (1:N) matching.

Biometric categorisation means analysing a person’s biometric information to learn certain things about them, e.g. using a biometric system to detect someone’s emotions, infer their gender from video footage or estimate their age from their face. We have more information about biometric categorisation.

Examples of biometric processing activities covered by the code

Examples of activities not covered by the Code

Using a machine-based facial recognition system to identify when individuals in a database enter your business, and a staff member confirms how to respond.

Having a staff member with a list of people’s faces look out for those individuals.

Using a software program to automatically compare someone’s driver’s licence against another photo of that person to confirm that it is the same person.

Manual comparison of a driver’s licence with another photo to confirm the person is the same.

Using an algorithm to produce a list of possible identities of a person based on their face.

Having a staff member manually produce a list of possible identities of a person.

Automated analysis of CCTV footage to identify when an individual is at a site.

Manual review of the CCTV footage.

Use of age-estimation software to estimate age of users based on facial features 

A staff member using their human judgement to estimate customer’s age.

Note: The Information Privacy Principles (IPPs) apply to personal information that is not covered by the Code.

Biometric categorisation

Biometric categorisation is when you use an automated process to analyse biometric information to collect, infer or detect or generate certain types of sensitive information or to categorise the individual into a demographic group. 

Biometric categorisation covers the collection or inference of the following types of sensitive information:

  • Health information e.g. information about a person’s health conditions.
  • Information about a person’s personality, emotions, or mental state e.g. if someone is extroverted or introverted, how they are feeling, if they intend to lie, or if they are distressed.
  • Information about a person’s fatigue or attention levels e.g. whether someone is tired or paying attention to a specific thing.
  • Any demographic category assigned to an individual because of a characteristic such as their physical features or how they act e.g. age, gender, education level or ethnicity. This includes any demographic category that is a prohibited ground of discrimination under section 21(1) of the Human Rights Act 1993.

Not biometric categorisation

Detection of readily apparent expressions

Biometric categorisation does not include using a biometric system to detect readily apparent expressions, gestures or movements which are things you can observe or record visually or aurally without using biometric processing. For example, whether an individual is nodding or has their eyes closed, whether they are whispering or shouting, or whether the individual uses a wheelchair or is wearing a mask.

This exclusion means that, in general, processes that detect aspects of a person’s face or body to apply a filter or virtual try-on feature, or editing software that categorises people in photos or videos to modify or sort them, will not be subject to the Code (but may still be subject to the Privacy Act).

Personal use and entertainment exclusion 

Biometric categorisation also does not include any analytical process that is integrated in a commercial service or consumer device and is for the purpose of providing the user with their own health information, personal information, or an entertainment or immersive experience.

In general, processes in consumer wearables (e.g. in fitness trackers) that provide the user with their information or processes in face and body tracking cameras used to facilitate immersive video games (e.g. in VR headsets) will not be subject to the Code (but may still be subject to the Privacy Act). 

Biometric categorisation examples

See rule 10 for more information about the limits on biometric categorisation.

Biometric categorisation includes collecting, obtaining, inferring or detecting…

For example, using an automated process to…

Health information.

(See also the section on when the Code applies to health agencies.)
  • Infer BMI from fingerprint data.  
  • Detect skin condition from facial image. 
  • Infer genetic disorders by mapping facial features.  
  • Infer mental health status from eye movements. 
  • Infer neurodegenerative condition from way individual writes / handwriting. 
  • Detect if individual has prosthetic from gait or arm movements.
  • Infer stress level from voice.

Personal information relating to an individual’s personality.
  • Detect level of agreeableness through analysis of facial expressions. 
  • Infer individual’s level of emotional stability from eye and hand movements when talking.
  • Analyse a person’s speech patterns and gestures to infer whether they are extroverted.
  • Infer an individual’s susceptibility or openness from voice (e.g. for telemarketing).

Personal information relating to an individual’s mood.
  • Analyse micro expressions to infer whether individual is calm or irritated. 
  • Detect a person’s change in mood from body movements. 
  • Detect excitement by measuring heart rate (HR) and heart rate variability (HRV).
  • Infer depressed mood from body posture. 
  • Infer from voice whether individual is satisfied.

Personal information relating to an individual’s emotion.
  • Detect surprise or shock by registering minute facial movements. 
  • Detect shame from body posture. 
  • Infer positive emotion from heart rate and heart rate variability. 
  • Detect sadness or anger in a person’s voice.

Personal information relating to an individual’s intention.
  • Analyse micro expressions to detect intention to take aggressive action.  
  • Detect intention to lie by monitoring eye movements and pupil dilation. 
  • Analyse gait to detect intention to avoid detection. 
  • Analyse typing patterns or handwriting to detect intention to deceive. 
  • Infer intention to steal based on body and head posture. 
  • Analyse voice to infer intention to leave conversation.

Note: readily apparent expressions are excluded from the biometric categorisation definition: e.g. inferring that the wearer of a VR headset wants to go in a certain direction from their gaze or movements that is externally observable without automated processing.

Personal information relating to an individual’s mental state.
  • Infer interest and engagement from micro expressions. 
  • Infer cognitive load from pupil dilation. 
  • Obtain information about a person’s state of distress from voice.

Personal information relating to an individual’s state of fatigue.
  • Infer how well rested a person is from the appearance of their eyes and skin.
  • Track eye movements or blink rate to detect fatigue.
  • Infer exhaustion level from voice.

Personal information relating to an individual’s alertness.
  • Detect hyper-vigilance from facial expression and pupils.
  • Detect arousal intensity via galvanic skin response.
  • Detect whether someone is sleepwalking from eye and body movements.

Personal information relating to an individual’s attention level.
  • Analyse facial expression to determine if engaged. 
  • Monitor eye movements (gaze, blink rate) to detect level of focus.
  • Infer from sound of voice whether distracted.

To categorise the individual as part of a demographic category assigned to an individual on the basis of a biometric characteristic.
  • Inferring sex or ethnicity from facial features.
  • Estimating age from face shape and features. 
  • Inferring socioeconomic status from skin condition. 
  • Estimating age from gait or signature.
  • Using step count and HR to categorise according to fitness level.
  • Detecting whether person is pregnant from gait.
  • Attempting to infer sexual orientation from voice pitch and tone. 
  • Inferring education level from sound of voice.

Biometric categorisation does not include…

For example…

Detecting a readily apparent expression.
  • Detecting whether someone has their eyes closed or is speaking. 
  • Creating realistic avatars that reflect the facial movements of the user. 
  • Photo editing software that allows adjustments or changes to a person’s physical appearance.
  • Detecting position of eyes, nose and mouth to apply a filter or virtual try-ons. 
  • Detecting hair colour from facial image 
  • Posture detection systems e.g. in yoga studios.
  • Collection and display of raw body metrics when exercising e.g. steps, cadence, heart rate. 
  • Gesture controlled interfaces that detect conscious hand gestures i.e. swiping, waving, pointing. 
  • Foveated rendering i.e. producing better graphics in the video game based on where user is looking. 
  • Eye based interaction e.g. selecting menu items with gaze.  
  • Voice pitch adjustment.

Personal use and entertainment exclusion: Any analytical process that is integrated in a commercial service, including any consumer device, solely for the purposes of providing individuals with: their health information, their personal information or an entertainment or immersive experience.
  • Analysis of user’s facial expression to infer emotions and mood while playing video game to adjust intensity of immersive experience. (Provided there is no other use by video game developer). 
  • Photo/video app uses facial landmark detection to apply fun filters (e.g. dog ears, makeup, aging effects). (This would fall within the “entertainment or immersive experience” limb and may also be excluded under the readily apparent expression exclusion). 
  • Inferring information about a person’s condition (e.g. fitness level, daily energy level, stress) from their movement and heartrate metrics to display on their fitness wearable. (Provided the information is only for the user and is not used or shared by the app developer). 
  • Car system detecting fatigue level of driver by analysing their voice commands and advising user to take a rest. (Provided the information not used for anything else.) 
  • Meditation app detects facial expressions and breathing movements via camera to reflect calmness on-screen to the user. (This would fall into providing the user with their personal information). 

Other activities not covered by the Code

In general, the following activities will not be regulated by the Code as they do not fall within the definition of biometric categorisation (or verification or identification). These activities may still involve the collection and use of personal information, in which case the organisation carrying them out must comply with the Privacy Act.

  • Face or person detection (without unique identification or demographic categorisation) e.g. detection of people on railway tracks, monitoring queues, smart cameras used on autonomous cars.
  • Lexical sentiment analysis (tools that analyse the content of human speech or text and determine whether it is positive, neutral or negative or assign tags according to theme or topics, provided the analysis is based on the words as opposed to how a person says the words (tone, pitch etc.)).

If you are doing the above types of activities, you should still consider the definitions of biometric verification, identification and categorisation to be confident that your specific use is not covered by the definition.

Back to top