Short answer: Before a firm uses face, fingerprint, voice, or behaviour-based identification, it should understand the system, the supplier, the data flow, the access model, and the fallback process. That is technology governance, not just a policy document.
What this helps you check
Use this as a practical starting point before adopting or renewing a biometric system.
- Where biometric information is collected, stored, and accessed
- Which supplier controls the platform and support process
- How the firm disables, removes, or falls back from the system
The Office of the Privacy Commissioner has confirmed that New Zealand's Biometric Processing Privacy Code 2025 came into force on 3 November 2025 for new biometric processing. Agencies already using biometrics have a nine-month grace period to move to the new rules, ending on 3 August 2026.
The Code is privacy law. This article does not interpret it or tell firms what their legal obligations are. The practical technology point is simpler: biometric systems can feel like a convenient access or verification tool, but they may introduce sensitive data, third-party dependence, retention questions, and harder incident decisions.
For legal, financial, and advisory firms, the issue is not limited to a futuristic facial-recognition project. It can include building entry systems, visitor platforms, clock-in tools, voice-based verification, specialist client portals, device identity features, and products pitched as fraud prevention or security automation.
The current NZ signal
The Privacy Commissioner describes biometric processing as the use of technologies, such as facial recognition, to collect and process biometric information to identify people or learn more about them. The Commissioner also notes examples such as faces, fingerprints, voice, keystroke patterns, or the way a person walks.
That is a broad technology category. Before a firm signs a supplier agreement or turns on a feature, leaders should be clear about what is actually being collected and whether the tool is necessary for the business problem.
1. Confirm whether the system is truly biometric
Do not rely on the product name. Ask the supplier what information is collected, whether templates are created, whether identification or classification is performed, and whether any biometric information leaves the device, building system, or platform.
This matters because some tools are presented as ordinary access control, visitor management, security monitoring, or fraud prevention. The privacy and technology risk can be quite different if the system is analysing a face, fingerprint, voice, movement pattern, or typing behaviour.
2. Map the data flow before approval
A short data-flow review can prevent long-term confusion. The firm should know where information is captured, where it is stored, whether it is encrypted, who can access it, whether it is sent offshore, and how long it is retained.
For Microsoft 365-connected workflows, also check whether alerts, exports, reports, or identity records are copied into SharePoint, Teams, email, ticketing tools, or supplier portals. Sensitive information can spread through operational workarounds if nobody owns the process.
3. Review supplier control and administrator access
Biometric systems often depend on a specialist vendor, building manager, device provider, or software platform. Firms should understand who can administer the system, reset access, export records, change settings, and respond during an incident.
Administrator access should be limited, named, protected with multi-factor authentication where available, and reviewed regularly. Shared logins and informal supplier access are a weak fit for systems that may involve sensitive personal information.
4. Keep a non-biometric fallback
Convenience should not make the firm dependent on one sensitive method of identification. There should be a clear alternative if the system fails, a person opts out where appropriate, a supplier outage occurs, or the firm decides to stop using the tool.
That fallback should be written down and understood by the people who manage reception, facilities, HR, IT, security, and leadership decisions. If the only people who know the workaround are unavailable, the firm has created a resilience issue.
5. Treat deletion and offboarding as part of the design
It is easier to set deletion rules before a system goes live than after years of use. Ask how information is removed when a staff member leaves, a contractor finishes, a visitor record expires, or a supplier relationship ends.
Also check whether deletion removes only the visible profile or the underlying template, logs, exports, backups, and supplier-held copies. The answer may affect whether the system is suitable for the firm's risk appetite.
6. Do not let AI features bypass normal governance
Some biometric or identity systems now include AI-assisted detection, classification, risk scoring, or behaviour analysis. These features should not be enabled quietly because they are bundled into a platform update.
Firms should keep the same discipline they would apply to other sensitive technology: documented purpose, limited access, human oversight, supplier review, clear settings, and a plain-English explanation for the people affected.
What should firm leaders do this month?
A calm first step is to ask six questions:
- Are we using any system that captures face, fingerprint, voice, movement, typing, or behaviour patterns?
- What business problem does each system solve, and is a lower-risk option available?
- Where is the information stored, who can access it, and which supplier controls it?
- What Microsoft 365, email, ticketing, or reporting workflows receive related information?
- How do we disable access, delete records, and offboard people cleanly?
- What is the fallback if the system fails or the firm decides to stop using it?
If those answers are unclear, pause before enabling new biometric features and run a focused technology and privacy-risk review with the right professional advice involved.
Common questions
Does every use of biometrics need the same level of review?
No. The right review depends on the system, purpose, data flow, vendor, and risk. This article is a technology-risk starting point, not legal or regulatory advice.
What should professional services firms check first?
Start by confirming whether biometric information is being collected, where it is stored, who can access it, which vendor supports it, and how the firm would disable or remove it if needed.
Is this article privacy advice or compliance advice?
No. It is general information about technology governance and risk. Firms should take appropriate professional advice for their own privacy and regulatory obligations.
Source note
This article is based on official Office of the Privacy Commissioner material: Biometric Processing Privacy Code 2025 (issued 21 July 2025, in force for new biometric processing from 3 November 2025, with the transition period for existing biometric processing ending 3 August 2026), Factsheet 1: Biometric Processing Privacy Code overview, and the Privacy Commissioner's Privacy Act 2020 privacy principles page noting IPP3A from 1 May 2026.
Compliance note: This article is general information only. It is technology-risk guidance, not legal advice, not financial advice, not regulatory advice, not privacy advice, and not compliance advice. Firms should take appropriate professional advice for their own obligations and circumstances.
Book a Conversation
