Can my NZ business collect biometric information from staff or customers?

Yes, but only if you comply with the new Biometric Processing Privacy Code, which took effect in 2025. The Code sits on top of the Privacy Act 2020 and adds specific rules for any agency that collects or processes biometric information. You must carry out a proportionality assessment (essentially a PIA), have clear notification, consider less privacy-intrusive alternatives, and meet heightened transparency requirements. Retail, workplace and identity verification use cases are all in scope.

What did the Biometric Processing Privacy Code change?

The Code introduced specific obligations for biometric processing that don't apply to ordinary personal information. The most important changes are: a mandatory proportionality test before deployment, specific notification requirements, restrictions on certain use cases, and a requirement to consider alternatives. The Code applies to biometric identification and categorisation, including facial recognition, fingerprint, voice and behavioural biometrics. If your business uses any biometric technology, you need to document your compliance now.

Do I need consent to use facial recognition in my business?

Consent is not always required, but it is usually the safest legal basis. The Privacy Act 2020 allows collection of personal information for a lawful purpose connected to a function or activity of the agency, but the Biometric Processing Privacy Code adds a proportionality test. For retail loss prevention, that test is particularly demanding and the Privacy Commissioner has issued guidance indicating that many deployments will not meet it. Don't deploy facial recognition without a written assessment and, ideally, legal sign off.

What are the core obligations under the Privacy Act 2020?

The Privacy Act 2020 requires every agency (which includes most businesses) to comply with 13 Information Privacy Principles, to appoint a Privacy Officer, to notify the Privacy Commissioner and affected individuals of notifiable privacy breaches, and to respond to access and correction requests. The IPPs cover the full lifecycle of personal information: collection, use, disclosure, storage, access, correction and destruction. IPP 12 adds restrictions on sending personal information overseas.

Do I need to appoint a Privacy Officer?

Yes. Every agency must have at least one Privacy Officer under section 201 of the Privacy Act 2020. The role can be held by a staff member (it does not need to be a lawyer) and is responsible for ensuring compliance, dealing with complaints and requests, and working with the Privacy Commissioner. For smaller businesses, outsourcing the Privacy Officer function to an external adviser is a lawful and cost-effective option, particularly where you want independence from operational decisions.

How does IPP 12 affect cross-border data transfers?

IPP 12 restricts disclosure of personal information to a foreign person or entity unless one of the prescribed safeguards applies. The most common routes are: the recipient is in a country with comparable privacy laws; the recipient is bound by contract to comparable standards; or the individual authorises the transfer. If you use overseas cloud providers, SaaS tools, offshore contractors or global AI vendors, IPP 12 almost certainly applies. Contract terms need to do the work here.

What should a New Zealand data sharing agreement include?

A good data sharing agreement sets out: the purpose and legal basis for the sharing; the scope of the data; the IPP compliance allocation; security and breach obligations; audit rights; term and termination (including return or destruction of data); liability caps and indemnities; and any specific obligations under the Privacy Act 2020 for joint controllers or processors. For public-private arrangements, Te Tiriti and Māori data considerations also need to be built in. Don't rely on a boilerplate MSA.

When does a commercial contract need a Data Processing Agreement?

A DPA should be attached whenever one party is processing personal information on behalf of the other. In NZ that includes most SaaS agreements, outsourced services, marketing automation, payroll, customer support platforms and AI tools. The DPA sets out the processor's obligations, security standards, breach notification timing, sub-processor approval, and audit rights. It also allocates liability. I draft and negotiate DPAs regularly and can usually turn a short one around quickly.

What is a privacy maturity assessment?

A privacy maturity assessment is a structured review of how well your organisation manages privacy across people, processes, systems and governance. Unlike a PIA, which looks at a single project, a maturity assessment looks at the whole business. It benchmarks where you are today against a recognised framework (such as the Privacy Maturity Assessment Framework), identifies the gaps, and produces a roadmap to lift your maturity over 6, 12 and 24 months. Boards and senior leaders increasingly expect one.

Why should my business consider a privacy maturity assessment?

Three reasons. First, it gives your board and executive team an honest, independent picture of your privacy risk, not just whether you comply, but how robust your controls actually are. Second, it prioritises investment, so you spend money on the gaps that matter most. Third, it creates a defensible record that you are taking privacy seriously, which is valuable if the Privacy Commissioner ever comes knocking or a deal partner asks for assurance. For banks, insurers, health providers and other regulated businesses, a maturity assessment is fast becoming the minimum expected standard.

Why should a privacy maturity assessment be done by a lawyer?

This is the question I get asked most often, and my answer is: because a maturity assessment is a legal risk exercise dressed up as an operational review. A consultant can tell you whether you have a policy. A privacy lawyer can tell you whether that policy actually protects you under the Privacy Act 2020, whether your information sharing arrangements are lawful, whether your cross-border transfers comply with IPP 12, and whether your AI and biometric deployments would survive regulatory scrutiny. Just as importantly, a lawyer-led assessment is protected by legal professional privilege, which means the findings (including uncomfortable ones) are confidential and cannot be used against you by a regulator or in litigation. A consultant report has none of that protection. For serious maturity work, privilege is the single biggest reason to use a lawyer.

What does the assessment actually cover?

A proper maturity assessment covers ten areas: governance and accountability, policies and procedures, privacy notices and consent, data inventory and mapping, information lifecycle management, security and breach response, individual rights (access, correction, complaints), third party and vendor management, training and culture, and monitoring and assurance. For each area, I score your current state against the framework, identify the gaps, flag the legal risks, and recommend specific, prioritised actions. The output is a board ready report plus a practical action plan your operational team can work from.

How long does a privacy maturity assessment take?

For a small to mid-sized NZ business, expect four to six weeks from kickoff to final report. That includes initial scoping, document review, interviews with key staff (typically 6-10 people), benchmarking, drafting, and a presentation to the leadership team or board. For larger or more complex organisations it can run longer. I scope every engagement upfront, many with a fixed fee, so there are no surprises, and I work alongside your team so you build internal capability as we go.

What does responsible AI actually mean for a NZ business?

In practical terms, responsible AI means you have a documented process for deciding when to use AI, how to use it, and how to stop using it if things go wrong. It covers risk assessment, data quality, human oversight, bias testing, explainability, contractual allocation of risk, and ongoing monitoring. NZ does not have dedicated AI legislation yet, but existing laws, the Privacy Act 2020, the Fair Trading Act 1986, the Human Rights Act 1993, and common law negligence, all apply to AI deployments. Ignoring them is a commercial risk, not just a compliance one.

How does the Privacy Act 2020 apply to AI?

The Privacy Act applies to AI in two ways. First, if you train a model on personal information, each of the 13 IPPs applies, including the need for a lawful purpose, notification, and limits on use and disclosure. Second, if you use an AI tool that processes personal information (for example, summarising customer emails or screening CVs), you are collecting and using that information under the Act. The Privacy Commissioner has been clear that AI vendors and AI users are both accountable. Contract terms with your AI vendor matter.

What should an AI governance framework include?

A workable framework has five elements: (1) a clear scope of what counts as AI in your organisation; (2) a risk tiering model so low-risk uses don't get bogged down; (3) a pre-deployment assessment process (similar to a PIA but broader); (4) clear ownership and escalation; and (5) ongoing monitoring and review. It should also deal with staff use of third-party AI tools like ChatGPT or Claude, which is where most NZ businesses have unmanaged risk right now.

Do contracts with AI vendors need special clauses?

Yes. Standard SaaS contract templates are not fit for purpose. At a minimum you need clauses covering: training data rights, prohibition on using your data to train general models, indemnities for IP infringement in outputs, transparency about model versions and changes, audit rights, incident notification, and clear allocation of liability for automated decisions. I regularly review vendor contracts and flag the gaps, it is often the fastest way to reduce AI risk in a business.

When does my business need to do a Privacy Impact Assessment?

There is no general legal requirement to carry out a PIA in NZ. But the Privacy Commissioner strongly expects one before you launch any project that involves new or high risk personal information use. That includes biometrics, AI systems, large-scale data sharing, profiling, and cross-border data transfers. Government agencies are expected to complete PIAs under the Government Chief Privacy Officer model. For private businesses, a PIA is the single best tool to show you took reasonable steps to comply with the Privacy Act 2020 if something later goes wrong.

What does a proper PIA cover?

A useful PIA goes well beyond a compliance checklist. It maps the information flows, tests the project against each of the 13 Information Privacy Principles, assesses the risks to individuals, identifies mitigations, and records the decisions made. It should also cover Te Tiriti and Māori data considerations where relevant. The output should be a document you can hand to the Privacy Commissioner and say: here is how we thought about this. A rushed tick-box PIA is often worse than no PIA at all.

Should we do the PIA in-house or bring in an external lawyer?

Simple, low-risk projects can often be handled internally using a PIA template. For anything involving biometrics, AI, cross-border transfer, sensitive data or public sector partners, an external privacy lawyer adds independence and defensibility. I typically work alongside your team, so you keep ownership of the project, but you have a senior privacy voice challenging assumptions and drafting the final document.

Australia Is Getting a Children's Online Privacy Code. Should NZ Businesses Be Paying Attention?

Mar 31
4 min read

Australia has just (31/03/2025) released its draft Children's Online Privacy Code for public consultation. The Code, developed by the Office of the Australian Information Commissioner (OAIC), sets out new rules for how online services handle children's personal information. Consultation closes on 5 June 2026, and the final Code must be registered by 10 December 2026.

This matters for NZ businesses for two reasons. First, if you operate services accessible to Australian users, you may be directly caught. Second, New Zealand's Privacy Commissioner has been signalling a growing focus on children's privacy for some time. The question is no longer whether NZ will act, but when and how.

What the Australian Children's Code Covers

The Code applies to organisations bound by Australia's Privacy Act 1988 that provide online services likely to be accessed by a child. That includes social media platforms, messaging apps, video calling tools, online games with chat functions, streaming services, cloud storage, and even consumer Internet of Things devices like smart watches.

The scope is deliberately broad. If a service is likely to be accessed by a child, the obligations apply. You do not need to be specifically targeting children.

Key obligations in the draft Code include:

Best interests of the child as the primary test for decisions about children's data. Organisations would need to consider whether their data practices serve the child's interests, not just commercial objectives.
Privacy by default. Privacy settings must be set to the highest level by default. Geolocation, for example, would need to be switched off unless it is essential to the service and in the child's best interests.
Restrictions on profiling and marketing. Commercial profiling and targeted marketing directed at children would be restricted unless essential to the service and in the child's best interests.
Child-focused impact assessments. Organisations would need to carry out privacy impact assessments specifically considering the effects on children's data and rights.
Data deletion. Children may be given the right to request deletion of their data, and automatic deletion after periods of inactivity may be required.

These are significant obligations. For businesses that have not previously thought about children as a distinct user group, the compliance effort could be substantial.

What This Could Mean for NZ Businesses

Even if your business operates only in New Zealand, there are good reasons to pay attention.

The NZ Privacy Commissioner launched the Children's Privacy Project in September 2023. The Office released a report in April 2024 summarising findings from consultations with government agencies, professionals working with children, and non-governmental organisations. Since then, the OPC has released guidance on photography and filming involving children (May 2025) and education sector privacy guidance.

Importantly, the Privacy Act 2020 already gives the Privacy Commissioner the power to issue codes of practice that become part of the law. A children's online privacy code is well within the Commissioner's existing authority. No legislative change would be needed.

Privacy Commissioner Michael Webster has also been vocal about the challenges of protecting children online. He has raised concerns about social media age verification, warning that blanket bans on under-16s may push young people towards less regulated platforms with fewer safety controls.

NZ is also progressing its own Social Media (Age-Restricted Users) Bill, which would require platforms to take reasonable steps to prevent under-16s from accessing accounts.

The direction of travel is clear. Children's online privacy is a regulatory priority in NZ. Whether that leads to a dedicated code of practice, amendments to the Privacy Act, or sector-specific guidance, businesses that collect data from users under 18 should be thinking about this now.

What Regulators Are Signalling

This is not just an Australia and NZ conversation. The UK's Age Appropriate Design Code (also known as the Children's Code) has been in force since 2021, and the EU's General Data Protection Regulation already includes specific protections for children's data.

Australia's Code is the latest in a global trend towards treating children's privacy as requiring specific, enforceable standards rather than relying on general privacy principles alone.

The NZ Privacy Commissioner's sustained focus on children's privacy, combined with the existing power to issue codes of practice, suggests NZ may follow a similar path. The OPC has not yet announced a children's privacy code, but the groundwork has clearly been laid.

Practical Steps Worth Taking

Consider whether your services are likely to be accessed by children. This is the threshold question under the Australian Code, and it is likely to be relevant in any future NZ framework. Think broadly. If your service does not actively exclude children, they may be using it.
Review your privacy settings and defaults. Are your default settings set to the highest privacy level? If not, consider whether "privacy by default" should be your standard approach, particularly for any service accessible to young users.
Assess your data practices through a "best interests" lens. Ask whether the data you collect from younger users is genuinely necessary for the service, or whether it serves primarily commercial purposes.
Check your data retention and deletion processes. Do you have a clear process for deleting data when requested? Do you retain children's data longer than necessary?
Keep an eye on the NZ Privacy Commissioner's next steps. The OPC's Children's Privacy Project is ongoing, and further guidance or regulatory action may follow.

Every business is different, and whether these issues apply to you will depend on your specific circumstances. If you would like to talk through what this means for your business, I would love to help. Get in touch at rachel@obrienlegal.co.nz or visit obrienlegal.co.nz.

This post is general information only and is not legal advice. If you have specific questions about your situation, please seek independent legal advice.