Can my NZ business collect biometric information from staff or customers?

Yes, but only if you comply with the new Biometric Processing Privacy Code, which took effect in 2025. The Code sits on top of the Privacy Act 2020 and adds specific rules for any agency that collects or processes biometric information. You must carry out a proportionality assessment (essentially a PIA), have clear notification, consider less privacy-intrusive alternatives, and meet heightened transparency requirements. Retail, workplace and identity verification use cases are all in scope.

What did the Biometric Processing Privacy Code change?

The Code introduced specific obligations for biometric processing that don't apply to ordinary personal information. The most important changes are: a mandatory proportionality test before deployment, specific notification requirements, restrictions on certain use cases, and a requirement to consider alternatives. The Code applies to biometric identification and categorisation, including facial recognition, fingerprint, voice and behavioural biometrics. If your business uses any biometric technology, you need to document your compliance now.

Do I need consent to use facial recognition in my business?

Consent is not always required, but it is usually the safest legal basis. The Privacy Act 2020 allows collection of personal information for a lawful purpose connected to a function or activity of the agency, but the Biometric Processing Privacy Code adds a proportionality test. For retail loss prevention, that test is particularly demanding and the Privacy Commissioner has issued guidance indicating that many deployments will not meet it. Don't deploy facial recognition without a written assessment and, ideally, legal sign off.

What are the core obligations under the Privacy Act 2020?

The Privacy Act 2020 requires every agency (which includes most businesses) to comply with 13 Information Privacy Principles, to appoint a Privacy Officer, to notify the Privacy Commissioner and affected individuals of notifiable privacy breaches, and to respond to access and correction requests. The IPPs cover the full lifecycle of personal information: collection, use, disclosure, storage, access, correction and destruction. IPP 12 adds restrictions on sending personal information overseas.

Do I need to appoint a Privacy Officer?

Yes. Every agency must have at least one Privacy Officer under section 201 of the Privacy Act 2020. The role can be held by a staff member (it does not need to be a lawyer) and is responsible for ensuring compliance, dealing with complaints and requests, and working with the Privacy Commissioner. For smaller businesses, outsourcing the Privacy Officer function to an external adviser is a lawful and cost-effective option, particularly where you want independence from operational decisions.

How does IPP 12 affect cross-border data transfers?

IPP 12 restricts disclosure of personal information to a foreign person or entity unless one of the prescribed safeguards applies. The most common routes are: the recipient is in a country with comparable privacy laws; the recipient is bound by contract to comparable standards; or the individual authorises the transfer. If you use overseas cloud providers, SaaS tools, offshore contractors or global AI vendors, IPP 12 almost certainly applies. Contract terms need to do the work here.

What should a New Zealand data sharing agreement include?

A good data sharing agreement sets out: the purpose and legal basis for the sharing; the scope of the data; the IPP compliance allocation; security and breach obligations; audit rights; term and termination (including return or destruction of data); liability caps and indemnities; and any specific obligations under the Privacy Act 2020 for joint controllers or processors. For public-private arrangements, Te Tiriti and Māori data considerations also need to be built in. Don't rely on a boilerplate MSA.

When does a commercial contract need a Data Processing Agreement?

A DPA should be attached whenever one party is processing personal information on behalf of the other. In NZ that includes most SaaS agreements, outsourced services, marketing automation, payroll, customer support platforms and AI tools. The DPA sets out the processor's obligations, security standards, breach notification timing, sub-processor approval, and audit rights. It also allocates liability. I draft and negotiate DPAs regularly and can usually turn a short one around quickly.

What is a privacy maturity assessment?

A privacy maturity assessment is a structured review of how well your organisation manages privacy across people, processes, systems and governance. Unlike a PIA, which looks at a single project, a maturity assessment looks at the whole business. It benchmarks where you are today against a recognised framework (such as the Privacy Maturity Assessment Framework), identifies the gaps, and produces a roadmap to lift your maturity over 6, 12 and 24 months. Boards and senior leaders increasingly expect one.

Why should my business consider a privacy maturity assessment?

Three reasons. First, it gives your board and executive team an honest, independent picture of your privacy risk, not just whether you comply, but how robust your controls actually are. Second, it prioritises investment, so you spend money on the gaps that matter most. Third, it creates a defensible record that you are taking privacy seriously, which is valuable if the Privacy Commissioner ever comes knocking or a deal partner asks for assurance. For banks, insurers, health providers and other regulated businesses, a maturity assessment is fast becoming the minimum expected standard.

Why should a privacy maturity assessment be done by a lawyer?

This is the question I get asked most often, and my answer is: because a maturity assessment is a legal risk exercise dressed up as an operational review. A consultant can tell you whether you have a policy. A privacy lawyer can tell you whether that policy actually protects you under the Privacy Act 2020, whether your information sharing arrangements are lawful, whether your cross-border transfers comply with IPP 12, and whether your AI and biometric deployments would survive regulatory scrutiny. Just as importantly, a lawyer-led assessment is protected by legal professional privilege, which means the findings (including uncomfortable ones) are confidential and cannot be used against you by a regulator or in litigation. A consultant report has none of that protection. For serious maturity work, privilege is the single biggest reason to use a lawyer.

What does the assessment actually cover?

A proper maturity assessment covers ten areas: governance and accountability, policies and procedures, privacy notices and consent, data inventory and mapping, information lifecycle management, security and breach response, individual rights (access, correction, complaints), third party and vendor management, training and culture, and monitoring and assurance. For each area, I score your current state against the framework, identify the gaps, flag the legal risks, and recommend specific, prioritised actions. The output is a board ready report plus a practical action plan your operational team can work from.

How long does a privacy maturity assessment take?

For a small to mid-sized NZ business, expect four to six weeks from kickoff to final report. That includes initial scoping, document review, interviews with key staff (typically 6-10 people), benchmarking, drafting, and a presentation to the leadership team or board. For larger or more complex organisations it can run longer. I scope every engagement upfront, many with a fixed fee, so there are no surprises, and I work alongside your team so you build internal capability as we go.

What does responsible AI actually mean for a NZ business?

In practical terms, responsible AI means you have a documented process for deciding when to use AI, how to use it, and how to stop using it if things go wrong. It covers risk assessment, data quality, human oversight, bias testing, explainability, contractual allocation of risk, and ongoing monitoring. NZ does not have dedicated AI legislation yet, but existing laws, the Privacy Act 2020, the Fair Trading Act 1986, the Human Rights Act 1993, and common law negligence, all apply to AI deployments. Ignoring them is a commercial risk, not just a compliance one.

How does the Privacy Act 2020 apply to AI?

The Privacy Act applies to AI in two ways. First, if you train a model on personal information, each of the 13 IPPs applies, including the need for a lawful purpose, notification, and limits on use and disclosure. Second, if you use an AI tool that processes personal information (for example, summarising customer emails or screening CVs), you are collecting and using that information under the Act. The Privacy Commissioner has been clear that AI vendors and AI users are both accountable. Contract terms with your AI vendor matter.

What should an AI governance framework include?

A workable framework has five elements: (1) a clear scope of what counts as AI in your organisation; (2) a risk tiering model so low-risk uses don't get bogged down; (3) a pre-deployment assessment process (similar to a PIA but broader); (4) clear ownership and escalation; and (5) ongoing monitoring and review. It should also deal with staff use of third-party AI tools like ChatGPT or Claude, which is where most NZ businesses have unmanaged risk right now.

Do contracts with AI vendors need special clauses?

Yes. Standard SaaS contract templates are not fit for purpose. At a minimum you need clauses covering: training data rights, prohibition on using your data to train general models, indemnities for IP infringement in outputs, transparency about model versions and changes, audit rights, incident notification, and clear allocation of liability for automated decisions. I regularly review vendor contracts and flag the gaps, it is often the fastest way to reduce AI risk in a business.

When does my business need to do a Privacy Impact Assessment?

There is no general legal requirement to carry out a PIA in NZ. But the Privacy Commissioner strongly expects one before you launch any project that involves new or high risk personal information use. That includes biometrics, AI systems, large-scale data sharing, profiling, and cross-border data transfers. Government agencies are expected to complete PIAs under the Government Chief Privacy Officer model. For private businesses, a PIA is the single best tool to show you took reasonable steps to comply with the Privacy Act 2020 if something later goes wrong.

What does a proper PIA cover?

A useful PIA goes well beyond a compliance checklist. It maps the information flows, tests the project against each of the 13 Information Privacy Principles, assesses the risks to individuals, identifies mitigations, and records the decisions made. It should also cover Te Tiriti and Māori data considerations where relevant. The output should be a document you can hand to the Privacy Commissioner and say: here is how we thought about this. A rushed tick-box PIA is often worse than no PIA at all.

Should we do the PIA in-house or bring in an external lawyer?

Simple, low-risk projects can often be handled internally using a PIA template. For anything involving biometrics, AI, cross-border transfer, sensitive data or public sector partners, an external privacy lawyer adds independence and defensibility. I typically work alongside your team, so you keep ownership of the project, but you have a senior privacy voice challenging assumptions and drafting the final document.

What the Bunnings Decision Means for NZ Businesses Considering Facial Recognition Technology

Mar 31
5 min read

Updated: Apr 2

Facial recognition technology is arriving in New Zealand retail, fast. Bunnings has announced it will roll out facial recognition technology in all 42 of its New Zealand stores, starting in Hamilton in April 2026. Briscoes is already trialling it. So is Rebel Sport. And behind the scenes, a landmark Australian tribunal decision has just reshaped how businesses everywhere should think about deploying this technology.

If your business is considering facial recognition technology in New Zealand, or is already using any form of biometric processing, now is the time to understand what the rules require and where the real risks lie.

What the Australian Tribunal Decided

In February 2026, the Administrative Review Tribunal (ART) delivered its decision in Bunnings Group Limited and Privacy Commissioner [2026] ARTA 130.

A bit of background. Bunnings deployed facial recognition technology in stores across Australia between 2018 and 2021. The system scanned the faces of everyone entering and compared them against a database of people who had previously engaged in violence, retail crime, or other harmful behaviour at Bunnings stores. The Australian Privacy Commissioner investigated and found Bunnings had breached several Australian Privacy Principles (APPs). Bunnings appealed.

The ART's decision was mixed. It upheld three of the Privacy Commissioner's findings. Bunnings breached APP 1.2 by failing to implement appropriate practices, procedures, and systems around its FRT deployment. It breached APP 1.3 because its privacy policy made no mention of FRT at all. And it breached APP 5.1 by failing to give customers adequate notice that their faces were being scanned. All three of those findings stood.

What the Tribunal did overturn was the finding that Bunnings had unlawfully collected sensitive biometric information without consent (APP 3.3). The Tribunal found that a "permitted general situation" under APP 3.4(b) and section 16A of the Privacy Act applied. In short, it was satisfied that Bunnings' deployment of FRT was a reasonable and proportionate response to a genuine threat, namely the prevention of serious retail crime and the protection of staff and customers from violence and abuse. In reaching that conclusion, the Tribunal assessed whether the FRT was a suitable and effective response to the problem of repeat offenders, whether there were comparable less privacy-intrusive alternatives available (it found there were not), and whether the privacy impact was proportionate to the benefits achieved. Bunnings succeeded on all three.

On the risk assessment point, the Tribunal was pointed in its criticism. It found that Bunnings had taken "random enquiries and actions" rather than conducting the "formal, structured and documented" privacy risk assessment that a deployment of this kind required.

The headline takeaway for businesses is this: even where a permitted general situation may apply, failing to be transparent about what you are doing, and failing to document your privacy assessment properly, are breaches in their own right.

Why This Matters for NZ Businesses

The ART decision is an Australian ruling applying Australian privacy law. It is not binding in New Zealand. But it is highly instructive, particularly now that Bunnings is actively rolling FRT out across its NZ stores and other retailers are following. The parallels between what the Australian Tribunal examined and what the NZ Code requires are striking.

The Biometric Processing Privacy Code 2025 came into force in New Zealand on 3 November 2025. It introduces 13 rules that apply specifically to biometric processing activities, replacing the corresponding information privacy principles under the Privacy Act 2020 for those activities. If you are already using biometric processing, your grace period to align with the new rules ends on 3 August 2026.

The parallels between what the Australian Tribunal examined and what the NZ Code requires are striking.

What the NZ Biometric Code Actually Requires

Under the NZ Code, collecting and processing biometric information must be lawful, necessary, and proportionate to the privacy risks involved. Critically, organisations must genuinely assess whether a less privacy-intrusive alternative could achieve the same purpose just as effectively. If a swipe card or PIN could reasonably do the job, biometric processing may not be justified.

Transparency requirements are explicit. Organisations must provide clear and conspicuous notice to individuals, including identifying the agency collecting the information, the intended recipients, and individuals' rights to complain to the Privacy Commissioner. For a retail setting, this typically means clear signage at entry points where capture is occurring.

Safeguards must be adopted and documented before collection begins. The Code also requires organisations to consider the cultural impacts of biometric processing on Māori, which goes beyond a simple tick-box exercise.

The NZ Privacy Commissioner's June 2025 inquiry into Foodstuffs North Island's FRT trial is also relevant context. The Commissioner found that Foodstuffs' trial complied with the Privacy Act, given the significant safeguards in place, including a tightly scoped watchlist, exclusion of children and young people, and deletion of 99.999% of facial images within one minute. But the Commissioner was clear that effectiveness alone does not justify FRT use. It must also be necessary and proportionate.

A Distinctly NZ Risk: Accuracy, Bias, and Te Tiriti

One issue the NZ Commissioner specifically flagged, and which does not feature as prominently in the Australian decision, is accuracy risk across New Zealand's diverse population. FRT systems trained primarily on overseas datasets may perform less accurately for Māori and Pacific peoples. This raises both a direct compliance risk under the Code and a broader reputational and equity concern that businesses operating in NZ need to take seriously.

Practical Steps Worth Taking

Before deploying any FRT or biometric system, complete a formal, structured, and documented privacy impact assessment. The ART decision makes clear that informal or ad hoc steps are not enough. The tribunal described Bunnings' approach as "random enquiries and actions" and that was not a compliment.
Review your transparency and notice arrangements. Clear signage at entry points is a minimum. Think carefully about what you are telling people, when, and whether it actually gives them the information the Code requires.
Document your assessment of less privacy-intrusive alternatives. It is not enough to have considered them in passing. Record why you concluded that biometric processing is necessary and proportionate for your specific purpose.
If you are considering an FRT system, ask your vendor about its accuracy rates across different ethnicities, and specifically how it performs for Māori and Pacific peoples in the New Zealand context.
If you are already using biometric processing, check whether the 3 August 2026 deadline applies to you, and map what changes are needed to align with the Code before that date.
Get legal advice early, and be aware of the difference between legal advice and privacy consulting. A lawyer advising you on your biometric deployment can provide advice protected by legal professional privilege. That privilege can matter significantly if you later face a regulatory investigation or complaint to the Privacy Commissioner. Privacy consultants, however skilled, are not regulated professionals and cannot provide legally privileged advice. Where the stakes are high, that distinction is worth understanding.

Every business is different, and whether these issues apply to you will depend on your specific circumstances. If you would like to talk through what this means for your business, I would love to help. Get in touch at rachel@obrienlegal.co.nz or visit obrienlegal.co.nz.

This post is general information only and is not legal advice. If you have specific questions about your situation, please seek independent legal advice.