New rules for automated biometrics use will come into force on 3 November
The privacy commissioner has announced the release of a Biometric Processing Privacy Code under the Privacy Act 2020, which will establish specific privacy rules for agencies, businesses, and organisations engaging in the automated use of biometrics.
“Biometrics are some of our most sensitive information,” said Michael Webster, privacy commissioner, in a media release from the Office of the Privacy Commissioner (OPC). “It is not just information about us, it is us.”
According to the OPC, while the Code comes into force on 3 November 2025, agencies already utilising biometrics should align themselves with the new rules by 3 August 2026.
“We understand the Code may require some changes to agencies’ processes and policies for them to be compliant, like creating new notifications, training staff, or changing their technical systems, and we wanted to give them enough time to make these happen,” Webster said.
In its media release, the OPC said the new privacy rules aim to:
“The very thing that makes biometrics risky, their uniqueness, also makes them useful,” Webster said. “The aim of the new rules is to allow for beneficial uses of biometrics while minimising the risks for people’s privacy and society as a whole.”
Webster stressed that the Code has legal force and the same legal status as the Privacy Act’s information privacy principles, which the Code will replace for situations where agencies utilise biometric information in automated processes.
“Having biometric-specific guardrails will help agencies deploy these tools safely, using the right tool for the job and protecting people’s privacy rights as they do it,” Webster said.
According to information from the OPC’s website, agencies need to:
The OPC explained that the Code would only permit these particularly intrusive uses of biometrics in certain circumstances, such as when utilising biometrics would be crucial for assisting people with disabilities, keeping individuals safe, or conducting research.
“Biometrics can have major benefits, including convenience, efficiency, and security,” Webster said. “However, it can also create significant privacy risks, including surveillance and profiling, lack of transparency and control, and accuracy, bias, and discrimination.”
In its media release, the OPC shared that it also released detailed guidance to support the Code, explain how it would work in practice, and offer examples for agencies to better comprehend their obligations if they used biometrics.
“Our guidance is a starting point; agencies still need to do their own thinking and seek advice to understand their own situation and how they are using or plan to use biometrics,” Webster said.
In its media release, the OPC noted that biometric processing is the use of facial recognition technology and similar technologies to collect and process biometric information to identify individuals or find out more about them.
“Biometrics should only be used if they are necessary, effective and proportionate; the key thing to make sure of is that the benefits outweigh the privacy risks,” Webster said in the OPC’s media release.
In January, Webster announced an intention to release rules seeking to strengthen the regulation of biometric information. The OPC issued a draft version of the Biometric Processing Privacy Code for public consultation, with submissions accepted until March 2025.
