Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Who and what does the Code not apply to?

Two people stand at a reception desk in a medical facility, looking at a form on the counter. A person wearing white scrubs assists them. The Code does not apply to health agencies or health information in some situations

The Code does not apply to biometric information if:

  • that biometric information is also health information under the Health Information Privacy Code (HIPC), and
  • the biometric processing is being done by a health agency.

In that case, the HIPC applies instead. 

“Health agency” is defined in the HIPC. It includes any agency that provides health or disability support services, agencies which train health practitioners and agencies which provide health, disability, accident or medical insurance (but only in respect of providing the insurance). For the full definitions of health agency and health information, see the HIPC.

If a health agency is doing biometric processing on biometric information that is not health information, the Code still applies. The Code also applies to biometric information that is also health information if the agency doing the biometric processing is not a health agency.

For example:

DOES apply.

A medical practice has fingerprint scanning to allow staff to enter the premises. This is not health information, so the Code applies.

Does NOT apply.

A medical practice uses biometric processing to help detect health conditions. This is health information, and the biometric processing is by a health agency, so the Code does not apply (but the HIPC would).

DOES apply.

A fitness club uses a biometric system to analyse the health status of its members. This is health information, but the biometric processing is not by a health agency (because the agency is not providing health services), so the Code applies.

Some rules in the Code do not apply to intelligence and security agencies

Rules 2, 3, 4(b) and 10(4) do not apply to the New Zealand Security Intelligence Service and the Government Communications Security Bureau. This mirrors similar exclusions in the Privacy Act and reflect the special nature of intelligence and security agencies’ work.

The Code will generally not apply to consumer devices

In most cases devices for consumer use like smartwatches, fitness trackers, or VR headsets will not be covered by the Code. This is because these devices will not be doing biometric verification or identification, and if they are doing biometric categorisation, they would generally be excluded by the “integrated analytical feature” or “readily apparent expression” exceptions discussed in the biometric categorisation section.

The Code will generally not apply to individual people in their personal capacity

As with the Privacy Act, people acting in their private capacity would only be subject to the rules in the biometrics Code if what they are doing is either unlawful or considered “highly offensive to a reasonable person.” (Section 27 of the Privacy Act).  

If an employee is using biometric processing in their workplace, then the organisation would be responsible for the activity being carried out in compliance with the Code. 

If a person is using biometric processing for a business or non-personal use, on their own account (e.g. as a sole trader) then the person is responsible for compliance with the Code.

What if the Code doesn't apply?

The Privacy Act applies to personal information that is not covered by the Code. For example, the Act applies to any completely manual uses of biometric information. 

The Privacy Act also applies to the results of biometric processing.

OPC’s guidance on the Privacy Act and working with sensitive information continues to be relevant and applies to sensitive information that the Code does not apply to.

Back to top