The countdown has officially begun for organisations using biometric data, with compliance deadlines having been set.
New regulations under the Biometric Information Privacy Code (“the Code”) will come into effect on 3 November 2025 for new biometric processing systems, while existing systems must meet compliance standards by 3 August 2026.
These timeframes leave little room for delay, and taking early, strategic steps now will be critical to ensuring compliance. Staying ahead of the curve will not only mitigate potential risks but also position your organisation to operate confidently in this evolving regulatory landscape. Here we break down some of the key information to get you started.
What do we mean by Biometric Information?
Biometric information refers to personal data relating to an individual's unique physical or behavioural characteristics. At a practical level examples of biometric systems in workplaces include timeclocks that use fingerprints, vehicle systems that track alertness, IT systems that track computer usage for remote workers through to voice matching systems.
What You Need to Know
This new Code introduces new obligations for organisations who use biometric processing. It covers from how you; collect biometric information, tell people you are collecting it and how they can correct their information. It also covers requirements for how you store, access and use biometric information.
Proportionality Assessments are being introduced as a requirement which must also take into account any cultural impacts on Māori. Your obligations extend to making sure individuals that you are collecting biometric information from are aware of the location of your assessments (or a summary of them) and how they can access it. Information must also be provided to individuals about how they can raise concerns or complaints.
Practical Steps to Get Compliance-Ready
The introduction of this Privacy Code is yet another step in a growing emphasis on data protection and the responsible use of emerging technologies. The complexity of the new requirements means it’s wise to start preparing as soon as possible. Here’s some ways you can start to prepare for compliance:
- Map Your Biometric Activities - Start by identifying every area of your organisation where biometric processing takes place. This includes systems, processes, and tools such as facial recognition software, fingerprint-based access controls, or voice authentication technologies. Develop a complete overview of how biometric data is collected, stored, and used.
- Carry out Proportionality Assessments - Assess each biometric processing activity to determine its necessity, effectiveness, and proportionality. Consider both the privacy implications and the cultural impacts on Māori.
- Update or Create Privacy Impact Assessments (PIAs) - Review and, where necessary, update your Privacy Impact Assessments to address the unique requirements of biometric data processing. This includes evaluating privacy safeguards, proportionality findings, and cultural considerations.
- Develop Comprehensive Notices - Draft clear, accessible notices for individuals explaining what biometric data you collect, why it’s needed, whether any non-biometric options are available, and how they can access further information or lodge complaints. Update any policies, handbooks and guidance documents for this information.
- Train Your People - Educating your staff is key to ensuring compliance. Embed training on the Code’s requirements into your privacy framework. Equip team members with the knowledge to manage biometric data responsibly and respond to emerging challenges.
- Implement Regular Reviews - Add regular reviews of your biometric systems and processes to your annual calendar to stay aligned with regulations and best practice.
If you need more information or any support with implementing the new requirements get in touch with us to take the first step.