Just before the Christmas break, the Privacy Commissioner announced his intention to issue a Biometrics Processing Privacy Code of Practice (Code) and released an updated draft Code and associated guidance document for public consultation.
Submissions for this second public consultation close on 14 March 2025.
In our previous biometrics update, we highlighted some key obligations on organisations under the exposure draft of the Code released as part of the initial consultation period in April - May 2024. These obligations include biometric information collection notice requirements, proportionality assessments before collecting biometric information and prohibitions on certain uses of biometric information. Following that consultation, the Code has been subject to substantial change, including:
- Agencies already using biometric processing now have more time to comply with the Code once issued, as the commencement period has been increased from six to nine months from introduction (but only in respect of biometric processing that an agency had implemented before the Code was issued).
- Definitions have, thankfully, been simplified. For instance, "biometric classification" has been replaced with "biometric categorisation", which aims to more clearly capture the use of biometric information to place individuals into sensitive categories.
- The prohibitions around "biometric categorisation" have been retained but with limited exceptions. Biometric categorisation will involve using an automated process to analyse biometric information:
-
- to infer or detect an individual's health information
- to infer or detect an individual's emotional or mental state, or
- to categorise individuals into demographic categories that are prohibited grounds of discrimination under section 21(1) of the Human Rights Act 1993.
Helpfully, the revised Code makes it clear that biometric categorisation generally will not include an analytical process that is integrated in a service or device that provides the user with health or personal information (eg fitness trackers).
- The necessity and proportionality rules have been revised for clarity. Of particular note, biometric processing will be considered "necessary" if (1) it is effective in achieving the organisation's lawful purpose (see the bullet point below in relation to this) and (2) such purpose cannot reasonably be achieved by an alternative means with less privacy risk. There is also an additional requirement to inform individuals where they can find the results of any proportionality assessments conducted by an organisation (for example, whether these assessments are publicly available or available on request).
- Helpfully, organisations can now conduct a trial to determine whether biometric processing will be effective in achieving a lawful purpose. This trial will also allow organisations to defer compliance with Rule 1(1)(b)(i) (the requirement for biometric processing to be effective in achieving a lawful purpose) until the end of the trial period.
- Notification requirements under Rule 3 (collection of information from individuals) have been made clearer, particularly that notice must be given before biometric information is collected, and that notice must be given in a clear and conspicuous manner. Importantly, the draft guidance indicates that in order to make the notice "conspicuous", information about biometrics should be provided separately, or "set apart" from other information. This is consistent with the previous draft Code which also required a separate notice.
- The restriction around organisations using web scraping to collect biometric information from publicly available sources has been removed. Any method of collecting biometric information will instead be addressed under Rule 4 (manner of collection of biometric information) generally. Rule 4, much like information privacy principle four under the Privacy Act 2020, requires that the means of collecting biometric information is fair and that any intrusion upon an individual's personal affairs is reasonable.
- As with the exposure draft, the Code does not apply to health agencies processing health information (which is separately covered by the Health Information Privacy Code 2020). However, other activities of a health agency (eg processing biometrics about staff or for security purposes) could still be captured.
Once the current round of consultation on the revised Code is complete, the final draft is expected to be released in mid-2025.
We expect the draft Code to undergo further changes based on feedback from this second public consultation and the views of the recently established Office of the Privacy Commissioner Māori Reference Panel.
If you would like any assistance with preparing a submission or have any questions about how the Code could impact your business, then please get in touch with one of our team.
This article was co-authored by Keri Johansson (partner), Alex Chapman (special counsel) and Pearlyn Tan (solicitor).
