Navigating the New Biometric Processing Privacy Code: What Businesses Need to Know

What’s changing — and why it matters

The Biometric Processing Privacy Code 2025 has been finalised and will take effect on 3 November 2025. It replaces the general Information Privacy Principles in the Privacy Act 2020 wherever automated biometric processing is used.

Organisations already using biometric systems before that date have until 3 August 2026 to comply. The Office of the Privacy Commissioner (OPC) has also published guidance on the Code to help organisations prepare.

Common Business Use Cases

You might be using biometric technology without realising it. The Code applies to a wide range of systems, including:

• CCTV with facial recognition – Security monitoring, access control, or incident investigation.
• Staff time and attendance systems – Fingerprint or palm scanners to clock in and out.
• Access control for secure areas – Iris or facial scanning for high-security or hazardous sites.
• Event management & ticketing – Facial recognition or gait analysis to speed up entry or identify banned attendees.
• Customer personalisation – Retail or tourism operators using facial recognition to identify returning customers and tailor service.
• Health and fitness monitoring – Attendance tracking or posture analysis in gyms and wellness centres.
• Transport and passenger processing – Biometric ID verification at check-in or boarding.
• Accommodation access – Biometric locks or entry systems for boarding houses, hostels, or staff accommodation.

If your business uses any of these technologies, the new Code is likely to apply. 

📌 Top three things the Code requires

1. Necessity Test
   You must show that using biometrics is necessary, effective, and proportionate — and that less privacy-intrusive options wouldn’t work as well.
2. Clear Disclosure
   People must be told, before or at the time of collection, what biometric data is being collected, why, how it will be used, and any alternatives available.
3. Strong Safeguards
   Biometric information must be stored securely, protected from unauthorised access, and deleted when no longer needed for its original purpose.

Key Insight: Applying the “Necessity Test”

The Code’s most significant requirement is the necessity, effectiveness, and proportionality test. You must be able to demonstrate that:

1. Biometrics are necessary – A genuine need exists that can’t be met through less privacy-intrusive methods.
2. They are effective – The technology reliably achieves its purpose.
3. The use is proportionate – The benefits outweigh the privacy risks.

This requires evidence-based decision-making. For example, if you want to introduce facial recognition for staff entry, you’ll need to show that alternatives like swipe cards or PINs wouldn’t be as effective.

What’s new since the Draft

The final Code includes a few important changes:

• Extended compliance period – Existing systems have until August 2026 to comply.
• Trial flexibility – The necessity test can be deferred for controlled trials, provided they are proportionate and secure.
• Clearer exemptions – Personal consumer devices like smartphones or VR filters are excluded.
• Tighter controls on certain uses – Emotion detection, attention tracking, or inferring sensitive traits are heavily restricted, only allowed for specific safety or welfare purposes.

What businesses should do now

1. Audit current biometric systems – Identify what you’re using, how, and why.
2. Apply the necessity test – Assess whether the technology is the most appropriate and document your reasoning.
3. Update your privacy policy – Clearly explain biometric use, reasons, and alternatives.
4. Strengthen safeguards – Use encryption, access controls, and staff training.
5. Plan for trials – If piloting tech, ensure they’re proportionate, secure, and documented.
6. Start early – Preparing now avoids disruption when the deadline arrives

What businesses should do now

1. Audit current biometric systems – Identify what you’re using, how, and why.
2. Apply the necessity test – Assess whether the technology is the most appropriate and document your reasoning.
3. Update your privacy policy – Clearly explain biometric use, reasons, and alternatives.
4. Strengthen safeguards – Use encryption, access controls, and staff training.
5. Plan for trials – If piloting tech, ensure they’re proportionate, secure, and documented.
6. Start early – Preparing now avoids disruption when the deadline arrives.

What will happen if you fail to comply?

Failure to comply with the Code puts your business at risk of being found to have interfered with someone’s privacy under the Privacy Act 2020. Possible outcomes include:

• A complaint to the Privacy Commissioner – any individual can complain to the Office of the Privacy Commissioner (OPC), which can investigate and issue compliance notices.
• Compliance notices and enforcement – The OPC can require you to take or stop certain actions. A failure to comply can lead to referral to the Human Rights Review Tribunal, which can also make orders and award damages. 
• Reputational damage – if the OPC issues a compliance notice, it will generally publish it (including the organisation’s name) unless there is good reason not to. 
• Other breaches: – Non-compliance could also mean you risk breaching third party contracts where you have agreed to comply with the Privacy Act, or your obligations as an employer.

How we can help 

A key principle is that individuals must be told, clearly and up front, when their biometric information is being collected, why it’s being collected, how it will be used, and what alternatives (if any) are available. This disclosure must happen before or at the time of collection, not buried in fine print.

We can help you with:

• Updating privacy statements so they meet the Privacy Act 2020 and Code requirements.
• Drafting signage and notices for CCTV, biometric scanners, or trial systems that meet the disclosure requirements.
• Reviewing your necessity assessment to ensure it is well-documented and defensible.

Whether you’re implementing new technology, updating existing systems, or starting from scratch with your first privacy statement, AWS Legal can guide you through each step — keeping your organisation compliant and maintaining the trust of your staff, customers, and community.