Can my NZ business collect biometric information from staff or customers?

Yes, but only if you comply with the new Biometric Processing Privacy Code, which took effect in 2025. The Code sits on top of the Privacy Act 2020 and adds specific rules for any agency that collects or processes biometric information. You must carry out a proportionality assessment (essentially a PIA), have clear notification, consider less privacy-intrusive alternatives, and meet heightened transparency requirements. Retail, workplace and identity verification use cases are all in scope.

What did the Biometric Processing Privacy Code change?

The Code introduced specific obligations for biometric processing that don't apply to ordinary personal information. The most important changes are: a mandatory proportionality test before deployment, specific notification requirements, restrictions on certain use cases, and a requirement to consider alternatives. The Code applies to biometric identification and categorisation, including facial recognition, fingerprint, voice and behavioural biometrics. If your business uses any biometric technology, you need to document your compliance now.

Do I need consent to use facial recognition in my business?

Consent is not always required, but it is usually the safest legal basis. The Privacy Act 2020 allows collection of personal information for a lawful purpose connected to a function or activity of the agency, but the Biometric Processing Privacy Code adds a proportionality test. For retail loss prevention, that test is particularly demanding and the Privacy Commissioner has issued guidance indicating that many deployments will not meet it. Don't deploy facial recognition without a written assessment and, ideally, legal sign off.

What are the core obligations under the Privacy Act 2020?

The Privacy Act 2020 requires every agency (which includes most businesses) to comply with 13 Information Privacy Principles, to appoint a Privacy Officer, to notify the Privacy Commissioner and affected individuals of notifiable privacy breaches, and to respond to access and correction requests. The IPPs cover the full lifecycle of personal information: collection, use, disclosure, storage, access, correction and destruction. IPP 12 adds restrictions on sending personal information overseas.

Do I need to appoint a Privacy Officer?

Yes. Every agency must have at least one Privacy Officer under section 201 of the Privacy Act 2020. The role can be held by a staff member (it does not need to be a lawyer) and is responsible for ensuring compliance, dealing with complaints and requests, and working with the Privacy Commissioner. For smaller businesses, outsourcing the Privacy Officer function to an external adviser is a lawful and cost-effective option, particularly where you want independence from operational decisions.

How does IPP 12 affect cross-border data transfers?

IPP 12 restricts disclosure of personal information to a foreign person or entity unless one of the prescribed safeguards applies. The most common routes are: the recipient is in a country with comparable privacy laws; the recipient is bound by contract to comparable standards; or the individual authorises the transfer. If you use overseas cloud providers, SaaS tools, offshore contractors or global AI vendors, IPP 12 almost certainly applies. Contract terms need to do the work here.

What should a New Zealand data sharing agreement include?

A good data sharing agreement sets out: the purpose and legal basis for the sharing; the scope of the data; the IPP compliance allocation; security and breach obligations; audit rights; term and termination (including return or destruction of data); liability caps and indemnities; and any specific obligations under the Privacy Act 2020 for joint controllers or processors. For public-private arrangements, Te Tiriti and Māori data considerations also need to be built in. Don't rely on a boilerplate MSA.

When does a commercial contract need a Data Processing Agreement?

A DPA should be attached whenever one party is processing personal information on behalf of the other. In NZ that includes most SaaS agreements, outsourced services, marketing automation, payroll, customer support platforms and AI tools. The DPA sets out the processor's obligations, security standards, breach notification timing, sub-processor approval, and audit rights. It also allocates liability. I draft and negotiate DPAs regularly and can usually turn a short one around quickly.

What is a privacy maturity assessment?

A privacy maturity assessment is a structured review of how well your organisation manages privacy across people, processes, systems and governance. Unlike a PIA, which looks at a single project, a maturity assessment looks at the whole business. It benchmarks where you are today against a recognised framework (such as the Privacy Maturity Assessment Framework), identifies the gaps, and produces a roadmap to lift your maturity over 6, 12 and 24 months. Boards and senior leaders increasingly expect one.

Why should my business consider a privacy maturity assessment?

Three reasons. First, it gives your board and executive team an honest, independent picture of your privacy risk, not just whether you comply, but how robust your controls actually are. Second, it prioritises investment, so you spend money on the gaps that matter most. Third, it creates a defensible record that you are taking privacy seriously, which is valuable if the Privacy Commissioner ever comes knocking or a deal partner asks for assurance. For banks, insurers, health providers and other regulated businesses, a maturity assessment is fast becoming the minimum expected standard.

Why should a privacy maturity assessment be done by a lawyer?

This is the question I get asked most often, and my answer is: because a maturity assessment is a legal risk exercise dressed up as an operational review. A consultant can tell you whether you have a policy. A privacy lawyer can tell you whether that policy actually protects you under the Privacy Act 2020, whether your information sharing arrangements are lawful, whether your cross-border transfers comply with IPP 12, and whether your AI and biometric deployments would survive regulatory scrutiny. Just as importantly, a lawyer-led assessment is protected by legal professional privilege, which means the findings (including uncomfortable ones) are confidential and cannot be used against you by a regulator or in litigation. A consultant report has none of that protection. For serious maturity work, privilege is the single biggest reason to use a lawyer.

What does the assessment actually cover?

A proper maturity assessment covers ten areas: governance and accountability, policies and procedures, privacy notices and consent, data inventory and mapping, information lifecycle management, security and breach response, individual rights (access, correction, complaints), third party and vendor management, training and culture, and monitoring and assurance. For each area, I score your current state against the framework, identify the gaps, flag the legal risks, and recommend specific, prioritised actions. The output is a board ready report plus a practical action plan your operational team can work from.

How long does a privacy maturity assessment take?

For a small to mid-sized NZ business, expect four to six weeks from kickoff to final report. That includes initial scoping, document review, interviews with key staff (typically 6-10 people), benchmarking, drafting, and a presentation to the leadership team or board. For larger or more complex organisations it can run longer. I scope every engagement upfront, many with a fixed fee, so there are no surprises, and I work alongside your team so you build internal capability as we go.

What does responsible AI actually mean for a NZ business?

In practical terms, responsible AI means you have a documented process for deciding when to use AI, how to use it, and how to stop using it if things go wrong. It covers risk assessment, data quality, human oversight, bias testing, explainability, contractual allocation of risk, and ongoing monitoring. NZ does not have dedicated AI legislation yet, but existing laws, the Privacy Act 2020, the Fair Trading Act 1986, the Human Rights Act 1993, and common law negligence, all apply to AI deployments. Ignoring them is a commercial risk, not just a compliance one.

How does the Privacy Act 2020 apply to AI?

The Privacy Act applies to AI in two ways. First, if you train a model on personal information, each of the 13 IPPs applies, including the need for a lawful purpose, notification, and limits on use and disclosure. Second, if you use an AI tool that processes personal information (for example, summarising customer emails or screening CVs), you are collecting and using that information under the Act. The Privacy Commissioner has been clear that AI vendors and AI users are both accountable. Contract terms with your AI vendor matter.

What should an AI governance framework include?

A workable framework has five elements: (1) a clear scope of what counts as AI in your organisation; (2) a risk tiering model so low-risk uses don't get bogged down; (3) a pre-deployment assessment process (similar to a PIA but broader); (4) clear ownership and escalation; and (5) ongoing monitoring and review. It should also deal with staff use of third-party AI tools like ChatGPT or Claude, which is where most NZ businesses have unmanaged risk right now.

Do contracts with AI vendors need special clauses?

Yes. Standard SaaS contract templates are not fit for purpose. At a minimum you need clauses covering: training data rights, prohibition on using your data to train general models, indemnities for IP infringement in outputs, transparency about model versions and changes, audit rights, incident notification, and clear allocation of liability for automated decisions. I regularly review vendor contracts and flag the gaps, it is often the fastest way to reduce AI risk in a business.

When does my business need to do a Privacy Impact Assessment?

There is no general legal requirement to carry out a PIA in NZ. But the Privacy Commissioner strongly expects one before you launch any project that involves new or high risk personal information use. That includes biometrics, AI systems, large-scale data sharing, profiling, and cross-border data transfers. Government agencies are expected to complete PIAs under the Government Chief Privacy Officer model. For private businesses, a PIA is the single best tool to show you took reasonable steps to comply with the Privacy Act 2020 if something later goes wrong.

What does a proper PIA cover?

A useful PIA goes well beyond a compliance checklist. It maps the information flows, tests the project against each of the 13 Information Privacy Principles, assesses the risks to individuals, identifies mitigations, and records the decisions made. It should also cover Te Tiriti and Māori data considerations where relevant. The output should be a document you can hand to the Privacy Commissioner and say: here is how we thought about this. A rushed tick-box PIA is often worse than no PIA at all.

Should we do the PIA in-house or bring in an external lawyer?

Simple, low-risk projects can often be handled internally using a PIA template. For anything involving biometrics, AI, cross-border transfer, sensitive data or public sector partners, an external privacy lawyer adds independence and defensibility. I typically work alongside your team, so you keep ownership of the project, but you have a senior privacy voice challenging assumptions and drafting the final document.

When Privacy Goes Wrong, It Is Not Always a Data Breach: Lessons from a Recent Human Rights Review Tribunal Decision

Apr 11
6 min read

Updated: Apr 13

A recent Human Rights Review Tribunal ruling (is a powerful reminder that privacy risks go well beyond data breaches and cyberattacks. The Tribunal found a New Zealand primary school unlawfully collected and misused highly sensitive medical information about a mother and her son, including details of past drug use and sex work. The information was used to form prejudicial views that shaped how the pair were treated. The result was humiliation, loss of dignity and real harm.

For NZ businesses and organisations, this case illustrates something that often gets lost in privacy conversations. The biggest privacy risks are not always about hackers or lost laptops. They can be about collecting too much information, using it inappropriately, and allowing inaccurate or irrelevant information to drive decisions about people.

What Happened: Privacy Misuse at a NZ School

The case, DNO & BPQ v Board of TRS School [2026] NZHRRT 8, involved a NZ primary school that unlawfully collected and misused highly sensitive medical information about a mother and her son.

In the boy's second week of school, a Starship community nurse provided copies of the mother's medical records to school staff during a meeting about the child's learning support needs. Auckland District Health Board later acknowledged the disclosure was wrong and formally apologised.

The file included an 11-page child protection report containing sensitive medical, family and social history. The Tribunal found a senior teacher used this information to label the mother a "liar", a "meth addict" and a "street worker", and warned other staff that she was dangerous.

The Tribunal determined the school should never have held this information. It found the medical records were used to form views that led to the mother and child being treated differently and poorly compared to others. The school was ordered to pay $29,100 in damages for humiliation, loss of dignity and harm.

Privacy Risks Beyond Data Breaches: Why Over-Collection and Misuse Matter

When most organisations think about privacy risk, they think about data breaches. Cyberattacks, lost USB drives, emails sent to the wrong person. Those are real risks. But this case shows three other types of privacy harm that deserve just as much attention.

Over-collection. The school held an 11-page medical file it had no business possessing. Under the Privacy Act 2020, IPP 1 requires that personal information only be collected for a lawful purpose connected to the agency's function, and IPP 4 says collection must not be unfair or unreasonably intrusive. Holding sensitive medical history about a parent's past goes well beyond what a school needs to support a child's learning.

Inappropriate use. Even where information is lawfully held, IPP 10 limits how it can be used. Information collected for one purpose should not be repurposed to judge, label or discriminate against someone. In this case, medical records collected for child welfare purposes were used to form negative views about a parent and, by extension, her child.

Access to incorrect or misleading information leading to bias and discrimination. The Tribunal found that the senior teacher cherry-picked from the records, drew inaccurate conclusions and dismissed later paediatric assessments showing the child was developing well. The Tribunal concluded the mother was deemed "less deserving of empathy" based on her past, and those views were likely shared with staff working with the boy. IPP 8 requires agencies to take reasonable steps to ensure information is accurate, up to date, complete, relevant and not misleading before using it. This case shows what happens when that principle is ignored. Incomplete or outdated information does not just create administrative problems. It can lead to biased treatment and real discrimination against the people it relates to.

It is worth noting that the Tribunal found the school had actively collected this information, not merely received it. Even where information arrives without being requested, once an agency holds personal information, the Privacy Act still applies. The safest response to receiving personal information you did not ask for is to ask whether you should hold it at all.

What Would Have Changed Under IPP 3A?

This case arose in 2019. Had the new IPP 3A been in force, the school would have been required to take reasonable steps to notify the mother that it had collected her personal information from a third party. That single step could have surfaced the problem much earlier and potentially prevented the harm that followed.

IPP 3A requires agencies that collect personal information indirectly to tell the individual concerned about the collection, including what was collected, the purpose, and their right to access and correct the information.

IPP 3A comes into force on 1 May 2026. For any organisation that collects personal information from sources other than the individual themselves, this is a timely reminder to have notification processes ready.

Internal Sharing and Access Controls

One of the more troubling aspects of this case is how the sensitive information spread within the school. The medical records were shared among staff without any apparent controls on who could access them or why. The senior teacher shared her views about the mother with other staff, and those views shaped how the child was treated in the classroom and playground.

This raises a practical question every organisation should be asking. Who in your business can access sensitive personal information? Is there any process for limiting that access to those who genuinely need it for their role? Without clear access controls and policies, sensitive information can easily move beyond the people who need it and into the hands of people who may misuse it, whether intentionally or not.

The Cost of Denial

There is one more lesson worth drawing from this case. The school repeatedly denied having received or holding the medical records. The Tribunal ultimately rejected those denials.

The mother told the Herald she probably would not have gone to the Tribunal had the school acknowledged wrongly using the records. She said she probably would have accepted an apology and moved on.

This is a pattern that plays out regularly. When organisations respond to a privacy complaint with denial or defensiveness, they often escalate a situation that could have been resolved early. A prompt, honest acknowledgement of what went wrong, a genuine apology and clear steps to prevent it happening again will almost always produce a better outcome than years of litigation. For the school, denial turned what could have been a difficult conversation into a Tribunal proceeding, public scrutiny and a damages award.

What Regulators Are Signalling

Privacy Commissioner Michael Webster has raised concerns about the broader risks of inaccurate information driving decisions, warning of inaccurate predictions, discrimination, unexplainable decisions, and lack of accountability. While he was speaking in the context of automated decision making, the principle applies just as strongly to human decision makers relying on outdated or irrelevant data.

The Privacy Commissioner has also been vocal about the need for stronger enforcement tools, including a potential civil penalty regime. If that eventuates, the financial consequences of mishandling personal information could increase significantly. But even under the current framework, the Tribunal can award damages of up to $350,000. This case shows those consequences are not hypothetical.

Practical Steps Worth Taking

This case is a prompt for any organisation that collects personal information to ask some hard questions.

Audit what you hold. Consider reviewing the personal information your organisation holds. Are you collecting more than you need? Are you holding historical information that is no longer relevant to your purpose?
Limit access to sensitive information. Consider whether the right people, and only the right people, have access to sensitive personal information. Put clear policies in place about who can see what and why.
Check how information is being used. It may be worth reviewing whether personal information is being used only for the purpose it was collected. Staff who have access to sensitive information should understand the boundaries on how it can be used.
Think about accuracy and relevance. Before relying on personal information to make decisions about someone, consider whether the information is current, accurate, complete and relevant. Out-of-date or incomplete information can lead to biased and harmful decisions.
Prepare for IPP 3A. If your organisation collects personal information from third parties rather than directly from individuals, make sure you have processes ready to notify those individuals by 1 May 2026.
Respond well when things go wrong. If a privacy issue is raised, take it seriously. Acknowledging a mistake early, apologising and taking corrective action is almost always less costly than denial and litigation.
Train your people. Privacy is not just a policy exercise. The people who handle personal information day to day need to understand their obligations. This case shows how a single staff member's misuse of sensitive records can cause significant harm and a costly legal outcome.

Every business is different, and whether these issues apply to you will depend on your specific circumstances. If you would like to talk through what this means for your business, I would love to help. Get in touch at rachel@obrienlegal.co.nz or visit obrienlegal.co.nz.

This post is general information only and is not legal advice. If you have specific questions about your situation, please seek independent legal advice.