AskUs

Why is the Privacy Commissioner okay with biometrics?

The Privacy Commissioner is responsible for privacy regulation of personal information, which happens through the Privacy Act

The Privacy Act sets out broad privacy principles that tell agencies (businesses and organisations) how they’re allowed to collect and use personal information, which includes biometric information. 

The Commissioner can’t allow or ban biometric technologies in New Zealand.  However, the Commissioner can make rules that make sure biometric technologies are used in a way that keeps New Zealanders’ biometric information as safe as possible. That’s what happened with the issuing of the Biometric Processing Privacy Code

About the Biometric Processing Privacy Code

The Privacy Commissioner has developed and issued specific privacy rules for agencies collecting and processing biometric information using technology. These rules are set out in the Biometric Processing Privacy Code 2025. The rules respond to the privacy risks posed by biometric technologies and to ensure responsible use. 

A lot of organisations use biometric identification or biometric verification to check who people are. This can help organisations to keep customer information protected. Organisations using that technology, including facial recognition technology (FRT) need to make sure that they are using it accurately and safely. 

Using biometrics to classify people and gather insights about them is riskier so there are more guardrails in the code for that type of processing. 

About the rules in the Code 

The rules in the code mean that organisations need to justify their use of biometrics, to use privacy safeguards and to inform people, including letting people know if there is an alternative to biometric processing. People can ask organisations if they hold their biometric information. 

The 13 rules in the Biometric Processing Privacy Code replace and update the 13 principles in the Privacy Act for biometric information. The Privacy Act still applies to any personal information that is generated through biometric processing. 

Do you have other questions or complaints about biometrics?

If you have questions about biometric processing, you can ask the organisation for information about how they are using your biometric information. Anyone who has experienced a breach of their privacy from the use of biometric technologies (for example an inaccurate outcome or result) should contact that organisation to make a complaint. 

If a complaint is not resolved, you can contact OPC. We will assess your complaint under the Privacy Act. We will also assess your complaint under the Code, if it applies (the Code will be fully in force by 3 August 2026). 

The Code was developed through several rounds of consultation  including public consultation. Read more about the history of the project

Updated November 2025