Biometric data capture is now subject to privacy jurisdictions under the Privacy Act 2020. The Biometric Processing Privacy Code 2025 will be enforced in November 2025, allowing a grace period for companies already using automated biometric systems to comply with the rules. The final draft has been released by the Office of the Privacy Commissioner which applies to automated biometric systems used in the private or public sector, omitting healthcare applications, manual processing and the use of personal consumer devices.
Organisations that have settled into the use of biometric information in automated systems to identify and categorise individuals should review the Code and Guidance and assess their current use of biometrics to ensure a smooth transition. The 13 new rules will scrap the Information Privacy Principles under the Act and necessitate the lawful practices of collecting biometric information for organisations. Wherever possible, organisations are encouraged to consider other options that present a lower privacy risk as well as meet the blanket ‘necessity test’ for determining lawfulness of systems.
