On 10 April 2024, the New Zealand Privacy Commissioner unveiled an exposure draft of a new Biometric Processing Privacy Code (the Code), for public consultation. The Code, which sits under the Privacy Act 2020 (the Act), aims to establish comprehensive rules on how businesses and organisations can collect, use, store, and disclose biometric information, including physiological and behavioural biometrics and biometric samples (such as fingerprints, facial recognition, voice recordings and other biometric identifiers).

Key aspects of the code

The Code proposes to introduce more stringent rules on processing biometric information by modifying the application of some of the existing information privacy principles (IPPs) under the Act focusing on three key areas of collection, transparency and restrictions on processing (noting that some IPPs continue to apply without modification). 

Collection 

In addition to the existing requirements under IPP 1 of the Act, Rule 1 of the Code introduces two additional requirements that must be undertaken and satisfied before biometric information can be collected. These include: 

• Proportionality assessment: Agencies will be required to conduct a proportionality assessment before commencing processing of biometric information to confirm the processing is not disproportionate in the particular circumstances. This will require agencies to consider factors such as whether the processing is effective in achieving the agency’s lawful purpose, whether there are alternative means to the processing that has less privacy risk, whether the benefit of achieving the agency’s purpose outweighs the privacy risk, and the cultural impacts and effects of biometric processing on Māori and any other New Zealand demographic group. 
• Implementing privacy safeguards: Agencies will be required to implement privacy safeguards that are relevant and reasonably practicable in the circumstances to reduce privacy risk to individuals by biometric processing, including adopting measures such as ensuring individuals are able to authorise the biometric processing based on an informed decision or are able to opt out of biometric processing, informing individuals that they are on any biometric watchlists (and how they could challenge their enrollment in those lists), making sure the biometric system is tested and secure and that any training of the system has appropriate human oversight, regularly reviewing privacy risks, training staff, and ensuring all processes follow accessible, up-to-date protocols.

Transparency 

The Code also includes new transparency obligations under Rule 3, including: 

• Additional information disclosure requirements: Agencies will need to take steps to ensure individuals are aware of whether there is any alternative option to biometric processing, providing a list of the agencies’ policies, protocols and procedures that apply to the use of biometric information (including a summary of the agency’s biometric information retention policy), making sure there is a process in place for individuals to raise concerns and complaints about biometric processing and letting them know they have a right to complain to the Privacy Commissioner. 
• Additional notice requirements: To comply with the information disclosure obligations set out in Rule 3, agencies must provide individuals with an “accessible notice” and “conspicuous notice” both containing the prescribed content set out in the Code. These notices must be separate from general privacy policies. 

Restrictions 

The Code also prescribes certain purpose limitations and restrictions around the processing of biometric information, including:

• Restricting agencies from processing biometric samples for a secondary purpose unless the agency has adopted reasonable privacy safeguards and the agency believes on reasonable grounds that the type of biometric processing is not disproportionate; 
• A restriction on agencies using biometric information to infer an individual's health information, or mood or emotions, or other specific categories, with certain exceptions; and 
• A restriction on collecting biometric samples through web scrapping, being the use of automated tools to extract information from online sources, even if such samples are available through publicly available websites.

Notably, the Code does not apply to biometric processing by health agencies for activities covered by the existing Health Information Privacy Code 2020. 

Business implications 

If implemented, the Code would place significant additional regulatory compliance obligations on any organisation deploying or relying on biometric technologies like facial recognition, fingerprint scanners, or behavioural tracking software.

Although privacy impact assessments are not expressly mandated under the Code, we expect in practice that a detailed privacy impact assessment will be required prior to any proposed biometric processing to ensure the organisation appropriately assesses whether the processing is proportionate in the circumstances and the necessary privacy safeguards are implemented and managed in accordance with the Code. This may require the need for organisations to engage external third parties to assist with these assessments, particularly from a security and cultural perspective where organisations may not have sufficient expertise inhouse to properly assess those potential risk areas. The Code also mandates the use of separate privacy policies and notices in relation to biometric processing, and organisations will need to update their existing data retention policies to cater specifically for biometric information. 

For those organisations already undertaking biometric processing, a review of existing biometrics practices against the proposed Code will be necessary and may require the implementation of additional technical, policy, and operational safeguards to ensure they remain compliant with the new requirements under the Code. 

Public consultation

The Privacy Commissioner is currently seeking feedback on the exposure draft from 10 April 2024 to 8 May 2024 which is a relatively tight consultation period. Interested parties are encouraged to engage in this process and submit comments on the exposure draft by emailing [email protected], to ensure their perspectives are considered. There’s more information about this available on the Privacy Commissioner’s website.

Our Privacy team is currently considering the full implications of the proposed Code. We stand ready to assist organisations in assessing their use (or proposed use) of biometric information and related processing, including providing regulatory advice and assisting with drafting submissions on the proposed Code to the Office of the Privacy Commissioner.

Feel free to reach out to our experts if you would like to discuss how the Code may impact your organisation. 

This article was co-authored by Luke Han, a Solicitor in our Technology team.