Key takeaways

  • The Privacy Commissioner has announced his intention to issue a Biometrics Processing Privacy Code of Practice (Code).
  • A draft Code, together with proposed guidance, has been released for public consultation. The consultation period runs until 14 March 2025. The consultation documents are available here.
  • The Commissioner has previously indicated that biometric and other advanced technologies are a priority for his office, so the announcement is consistent with that focus. It is also timely, given some key overseas developments in this space (particularly in Australia and the EU) that have occurred in the last few months.

What is the Code?

Under the Privacy Act 2020 (Privacy Act), the Privacy Commissioner has the power to issue codes that (amongst other things) modify the application of one or more of the Information Privacy Principles (IPPs) in the Privacy Act to set more specific or stronger rules for specific industries, organisations or types of personal information.

The Code will introduce specific rules that will replace the IPPs for biometric processing activities, which the Code defines as the comparing or analysing of biometric information (such as people’s fingerprints, face prints, etc.) using computer software, algorithms or other automated systems. The rules will apply to agencies using biometric information in automated processes to recognise or categorise individuals, such as facial recognition technologies.

What’s happened so far?

In April 2024, the OPC released an exposure draft of a biometrics processing privacy code. The OPC received a significant amount of feedback on the exposure draft and used that feedback to make changes. The Code that is the subject of the current consultation is the result. You can read more on the background to the Code in our previous articles Biometric Boundaries: A Code of Practice to Regulate Biometrics in New Zealand and Biometrics Privacy Code - facing up to an uncertain future.

What has changed?

Some of the key changes made in the latest draft Code include:

  • increasing the commencement timeframe from six to nine months, to give organisations already using biometrics more time to comply before the Code starts to apply;
  • reducing the number of definitions used in the Code, and clarifying their scope;
  • revising the proportionality assessment, and introducing a new requirement encouraging organisations to be transparent with their proportionality assessments;
  • introducing a new provision to allow organisations to carry out trials, of up to six months, to assess whether their use of biometrics will be effective;
  • removing the restriction on web-scraping; and
  • removing the restrictions and associated exceptions for age estimate and attention tracking to better align with a risk-based approach and comparable approaches overseas.

Alongside the Code, the Office of the Privacy Commissioner (OPC) has released draft guidance (found here) to help explain the application of the rules, how the Code is intended to work and how organisations can go about complying with it. The draft guidance does not currently cover all the rules in the Code but includes guidance on rules 1, 2, 3, 6 and 10 (which, generally speaking, cover matters such as the purpose of collection, individuals’ rights of access, and limits on how biometric information can be used and disclosed) as these rules are considered to significantly impact the application of the Privacy Act.

What happens next?

The OPC has asked for feedback on the Code and its associated guidance. The consultation is open until 14 March 2025. After consultation, the Privacy Commissioner will consider the feedback and make any necessary changes. The final version of the Code is expected to be published in mid-2025.

Our thoughts

The fact that the Commissioner has confirmed his intention to proceed with the Code demonstrates his commitment to ensuring that New Zealand’s privacy regime keeps pace with technological advances and overseas regulatory developments.

The OPC has clearly listened to the feedback received in response to the initial consultation, and many of the changes that have been proposed (together with the associated guidance) appear to provide some much-needed clarity on how the Code is intended to operate. The restrictions in the Code appear to be more targeted, and the Code is overall simpler and easier to understand.

Does the Code strike the right balance between enhancing privacy protections in this emerging space, without unduly stifling innovation? A question we’ll be pondering as we delve into the Code’s details over the summer break.

Get in touch

Please get in touch with our contacts if you would like to know more about how the Code may impact your business or if you would like advice or assistance with preparing a submission.

Special thanks to James Burnett for his assistance in writing this article.

Contacts

Jania Baigent
Karen Ngan
Michelle Dunlop

Related Articles

15/10/2024·4 mins to read

Workplace use of GenAI breaches privacy laws

Artificial intelligencePrivacy Act and data protection
9/10/2024·2 mins to read

Biometrics Privacy Code - facing up to an uncertain future

Privacy Act and data protection
4/10/2024·4 mins to read

AI Regulation: NZ walks a tightrope

Artificial intelligenceDigital & new technologiesPrivacy Act and data protection
1/10/2024·2 mins to read

Privacy Commissioner takes stand: Organisation named for ignoring notification obligations

Privacy Act and data protection
1/08/2024·3 mins to read

The Crowd Strikes back: Preparing your business for IT incidents

Privacy Act and data protectionDigital & new technologiesCyber security