Can we collect biometric information?

If you want to collect any kind of biometric information (for instance, fingerprints(external link) or facial scans), you need to adhere to the Biometric Processing Privacy Code.

The Code applies to all organisations - businesses, government agencies, NGOs - that collect biometric information for biometric processing (with limited exceptions).

Read the Code and see factsheets that give a general overview of the rules.

Read detailed guidance about each rule in the code, our complaints process, and use case examples.

The Code requires that organisations must not collect biometric information unless:

•    It is for a lawful purpose connected with the organisation’s functions or activities,
•    It is necessary for that purpose,
•    The organisation has adopted and implemented privacy safeguards, and
•    The risks and impacts on people, including Māori, from the biometric processing are proportionate to the benefit of the processing

The Code also contains rules about what organisations must tell people, how biometric information must be protected, and how biometric information may be used and disclosed.

Security of biometric information is particularly important, given that, if there is some kind of data breach and the information is lost or stolen, there is very little the individual can do to recover or protect their identity information.

The Privacy Commissioner can investigate whether the collection of biometric information complies with the Code. This could include systemic issues, such as overcollection of unnecessary information, or unreasonably intrusive collection of biometric information, or inadequate security measures for protecting sensitive personal information.

Agencies (businesses or organisations) should do a Privacy Impact Assessment to make sure the risks have been addressed before implementing this technology. 

Updated October 2025