New Biometric Processing Privacy Code for New Zealand 2025
A major update for biometric security solutions in New Zealand
On 21 July 2025, the Office of the Privacy Commissioner in New Zealand announced the release of the Biometric Processing Privacy Code 2025. This is a significant milestone in regulating how biometric technologies, such as facial recognition, are used across New Zealand. The Code introduces specific rules for organisations collecting, using, and processing biometric information.
The new Code reinforces the importance of privacy in an era where biometric authentication is rapidly expanding across sectors, from critical infrastructure and public venues to private enterprise. It will be interesting to see how it is interpreted and whether it fits all use cases. Nextro recommends its customers to take note and follow the new code.
The Biometric Processing Privacy Code 2025 outlines how biometric information, such as facial features or iris scans, must be managed under the Privacy Act. It applies to technologies used to identify individuals or to learn about them, and sets expectations for transparency, necessity, fairness, and accountability in the use of these technologies.
Key Obligations for New Zealand Businesses:
For New Zealand organisations using biometric systems, including facial recognition cameras and biometric access control, the Code introduces the following key obligations.
- Transparency: Businesses must ensure people know when their biometric information is being collected. Clear, accessible signage and privacy statements must be visible at the point of collection.
- Purpose limitation: Biometric data must only be collected for specific, lawful purposes. The use must be necessary for that purpose and not collected ‘just in case’.
- Necessity and proportionality: Organisations must assess whether less privacy-intrusive options exist before using biometric tech. If a swipe card or PIN can reasonably meet the same purpose, biometric use may not be justified.
- Privacy Impact Assessments (PIAs): A PIA is required for any biometric processing activity, documenting risks and mitigations. This is mandatory and should be completed prior to deployment.
- Consent and alternatives: In many cases, particularly in workplaces or public access scenarios, individuals must be offered a genuine alternative to biometric enrolment, unless an exemption applies.
- Special restrictions: Certain uses, like real-time facial recognition in public, or profiling individuals based on biometric data, are considered high-risk, and face stricter scrutiny under the Code.
The Code comes into effect on 3 November 2025 with new systems deployed after that date having to be compliant. A grace period for existing biometric systems, in operation prior to 3 November 2025, gives operators until 3 August 2026 to meet the updated compliance standards. New systems will need to be compliant from 3 November 2025.
This timeframe is short and likely insufficient for large organisations. Nextro recommends that business start early to ensure sufficient time to assess and align their technologies, policies, and processes.
Nextro will continue to work closely with its technology partners and customers to ensure that our evolving biometric solutions are capable of meeting the requirements of the Code.
We encourage all businesses using or considering biometric technologies to familiarise themselves with the Code.
Please reach out to the Nextro team to discuss our face recognition, iris recognition, and finger print biometric access control solutions.
