Back Home 5 News 5 Privacy watchdog changes draft biometrics code of practice

Privacy watchdog changes draft biometrics code of practice

19 Apr 2024

| Author: Reweti Kohere

The Office of the Privacy Commissioner has made three changes to a draft code of practice to regulate the “growing and diversifying” use of biometrics, including a proposal that organisations try to get people’s consent before collecting this special type of personal information.

Other suggested changes include further guidance on earmarked modifications to existing Information Privacy Principles (IPPs) and a switch from restricting the use of biometrics for marketing to regulating intrusive types of biometric classification – an “emerging and growing” category of use.

The office last week released for public consultation its draft Biometric Processing Privacy Code, following a more targeted round of consultation in mid-2023.

The Privacy Act 2020 regulates the use of personal information in New Zealand, and the office considers biometric information – the way people walk, the irises in their eyes, their distinct facial shapes, their fingerprints and the characteristics of their voices – a special type of personal information as it’s fundamental to a person’s sense of identity.

When processed using facial recognition and other automated processing technologies, biometrics can identify people and work out other kinds of information about them. Because of this, additional rules have been drafted for organisations using these automated processing technologies, with Privacy Commissioner Michael Webster recognising their use carries benefits and risks.

“The use of biometrics is growing and diversifying, and I want to ensure New Zealanders and New Zealand businesses that they can harness the benefits of this technology but also be protected from potential harm,” Webster says. “We need to embrace technological advancement, but it’s vitally important to me that we also do the research, thinking and planning that keeps people safe and protects their right to privacy.”


Privacy safeguard

In the office’s 57-page consultation document accompanying the draft code, it says it has decided not to add a standalone general consent requirement as first proposed last year in its discussion document.

There, the office proposed that organisations would have to get people’s informed consent before collecting their biometric information, which would have brought New Zealand into line with other jurisdictions such as Australia and the EU.

However, under its draft rules, the office has acknowledged the general requirement of consent would have proved difficult to work in practice, including where biometrics are collected at a distance. And the requirement started to lose its utility when necessary exceptions were considered.

The general consent requirement wasn’t the best tool for the job either. “Consent places a burden on people and with busy lives, there’s a risk it would be overlooked by consumers,” the office says. “Consent works best in situations where the consequences are easy to imagine, there’s real choice and the decision is taken seriously.”

Instead, the office would require organisations to uphold privacy rights by mandating that they put in place the “privacy safeguard” of obtaining consent, where appropriate, upon collecting biometric information for processing. The office defines privacy safeguards as relevant and reasonably practical actions or processes that mitigate the reasonable likelihood of privacy risk. Other examples include subjecting biometric systems to testing, training staff and ensuring practices comply with policies.

Organisations will not breach the code if they don’t put in place every safeguard, the office says. “Rather, what is required is for each organisation to adopt any privacy safeguards, these ones, or other safeguards, that are relevant for their context and reasonably practical to implement.”


Proportionate, clear, fair

Previous submissions have emphasised to the office the need to keep the IPPs “flexible and technology-neutral”, the office says. The main changes are in rules 1, 3 and 4, with supplementary changes to rules 2, 6 and 10. Each of the rules in the code corresponds to their respective IPP in the Privacy Act.

Under the draft code, agencies collecting and using biometric information will have to decide whether their reasons for using biometric technologies outweigh the privacy intrusion or risks of doing so (rule 1). Such agencies must have “clear signs or notices and make additional information publicly available” (rule 3) and, under what is now known as the “fair processing limits” requirement in rule 4, organisations must not use biometric classification to infer information about people’s health, personality or mood, physical state, gender and ethnicity and other demographics.

In its final change, the office has reconsidered its initial proposal to restrict the use of biometrics for marketing, saying that regulating intrusive types of biometric classification, such as emotion recognition or categorising people in certain ways, is a better approach. “Marketers should take note that some of the other rules in the draft code may impact on certain types of biometric processing that they want to use,” the office warns.

Consultation remains open until 8 May, after which feedback will be considered and any necessary changes to the draft will be made. A further period of formal consultation will occur before the code of practice is issued.

Subscribe to


The weekly online publication is full of journalistic articles written for those in the legal profession. With interviews, thought pieces, case notes and analysis of current legal events, LawNews is a key source of news and insights for anyone working within or alongside the legal field.

Sign in or
become a Member
to join the discussion.


Submit a Comment

Your email address will not be published. Required fields are marked *

Latest Articles