What you need to know about the Biometric Processing Privacy Code 2025

The Biometric Processing Privacy Code 2025 (Biometric Code) was issued by the Privacy Commissioner on 21 July 2025.

It will come into force in two stages: 

The Biometric Code establishes specific rules for the collection, use, and management of biometric information by organisations. It supplements the Privacy Act 2020, replacing the Information Privacy Principles with 13 tailored rules. 

What is biometric information?
Biometric information is narrower than general personal information (to which the Privacy Act applies).  The Biometric Code deals with personal information that relates to the physical, physiological, or behavioural characteristics of an individual and that can be used, alone or in combination with other information, to identify, verify, or categorise that individual through automated processing.

Biometric information will include physical (e.g. facial features, fingerprints, iris), physiological (voice / speech patterns, body shape, gait), and behavioural (typing patterns, how you sign your name) characteristics about an identifiable individual that are used for automated identification, verification, or categorisation.  

How does the Biometric Code apply?
The Biometric Code applies to all organisations that collect biometric information for automated identification, verification, or categorisation purposes.

It does not apply to health agencies processing biometric information related to health services, which are governed by the Health Information Privacy Code. It also does not apply to information about an individual’s biological material, genetic material, brain activity, or nervous system - which is covered separately under health and ethics frameworks.

What are the core rules of the Biometric Code?
The Biometric Code emphasises privacy risk, so organisations must identify and assess privacy risks before implementing biometric systems.  

• Necessity and proportionality: Organisations must demonstrate that biometric processing is necessary for a lawful purpose and that no less intrusive alternatives are available.
• Effectiveness: The biometric system must be effective in achieving its intended purpose.
• Safeguards: Appropriate privacy safeguards must be implemented to mitigate risks associated with biometric information processing.
• Transparency: Organisations must be transparent about their biometric information practices, informing individuals about the collection and use of their biometric information.
• Accuracy and security: Biometric information must be accurate and securely stored, with measures in place to protect against unauthorised access.
• Retention and disposal: Biometric information should not be retained longer than necessary and must be securely disposed of when no longer needed.
• Access and correction: Individuals have the right to access their biometric information and request corrections if necessary.
• Disclosure: Strict limitations are placed on the disclosure of biometric information, particularly concerning sharing information outside New Zealand.

Other considerations in the Biometric Code

• Privacy Impact Assessments (PIAs): Organisations are encouraged to conduct PIAs to assess and address privacy risks associated with biometric processing, to help ensure compliance with the Biometric Code and identify potential issues before implementation.
• Trial periods are permitted: The Biometric Code permits organisations to conduct trial periods for biometric systems to evaluate their effectiveness and impact. These trials must adhere to the same rules as full implementations and cannot exceed 12 months.
• Cultural considerations: The Biometric Code acknowledges the importance of considering cultural factors, particularly the potential impacts on Māori communities, when implementing biometric systems.

The Biometric Code can be accessed on the Office of the Privacy Commissioner’s website, together with associated guidance materials.

If your organisation is considering implementing a biometric system (or already using one), now is the time to ensure the system and processes comply with the Biometric Code. MoranLaw’s experienced team is well across the Biometric Code and can help your organisation navigate compliant use of biometric systems. Get in touch today.