Using Biometric Data in New Zealand: Consent and Privacy Issues for Businesses

Alex Solo
byAlex Solo11 min read
Data & PrivacyRegulatory Compliance
Contents

Biometric tools can look like an easy upgrade for security, attendance tracking or customer verification. The legal risk usually appears later, when a business has already bought the system, uploaded fingerprints or face scans, and only then asks what consent should have looked like. Common mistakes include relying on a generic privacy policy, collecting more biometric data than the business actually needs, and assuming employee agreement is automatic because the system is used at work.

A biometric consent form can help, but it is only one part of a lawful process. In New Zealand, businesses also need to think about privacy collection notices, whether the collection is really necessary, how the data will be stored, who can access it, and what happens if there is a privacy breach. This guide explains what a biometric consent form should cover, when your business is likely to need one, and the practical steps to take before you sign a supplier contract or spend money on setup.

Overview

Biometric data is sensitive because it relates to a person’s unique physical or behavioural characteristics, such as fingerprints, facial geometry or voice patterns. In New Zealand, collecting and using that data can trigger obligations under the Privacy Act 2020, and in some cases employment, consumer and contract issues as well.

  • Work out whether you genuinely need biometric collection, rather than a less intrusive alternative.
  • Tell people clearly what data you are collecting, why you need it, who will receive it, and how long you will keep it.
  • Use a biometric consent form that is specific to the system and use case, not a broad one-line sign-off.
  • Check whether consent is freely given, especially in employment or other unequal bargaining situations.
  • Review your supplier contract, storage arrangements, offshore hosting, and data security settings before launch.
  • Make sure your privacy policy, internal procedures, and data breach response plan match what actually happens in practice.

A biometric consent form is a written record that a person has been told what biometric information will be collected and has agreed to that collection and use. It is useful evidence, but it does not replace your wider privacy obligations.

For most businesses, biometric information includes data used to identify or verify someone through physical or behavioural traits. That might include:

  • fingerprint or thumbprint scans for staff attendance
  • facial recognition for site access or customer verification
  • voiceprints for call centre authentication
  • iris or retina scans in high-security environments
  • behavioural patterns used for fraud detection, if linked to an identifiable individual

Under the Privacy Act 2020, the starting point is that personal information must only be collected for a lawful purpose connected with your business, and the collection must be necessary for that purpose. This is where founders often get caught. A vendor may describe biometric collection as efficient or modern, but legal necessity is a different question.

If your goal is to stop time-sheet fraud, improve building security, or confirm a customer’s identity remotely, ask whether the same purpose can be achieved with a PIN, swipe card, app login, photo ID check or another less intrusive method. If a reasonable alternative exists, collecting fingerprints or facial scans may be harder to justify.

Consent matters because people should understand what is happening to their data and agree to it. Still, a signed biometric consent form does not automatically make every use lawful.

That is because privacy compliance also depends on the context. Your business should still be able to show:

  • the collection was necessary for a legitimate business purpose
  • the person was given clear notice at or before collection
  • the information collected was not excessive
  • the data is accurate, secure and only kept for as long as needed
  • the use and disclosure stay within what the person was told, unless another lawful basis applies

In practical terms, a good biometric consent form usually sits alongside a privacy collection notice, internal access controls, a supplier agreement, and a data retention or deletion process.

A useful form should be specific and readable. If it is vague, buried in onboarding paperwork, or drafted so broadly that people cannot tell what they are agreeing to, the form may create more risk than protection.

A business will often want the form to include:

  • what biometric data is being collected
  • the reason for collection and how the system works in plain English
  • whether the data is used for identification, verification, monitoring or security
  • who will store or process the data, including third party providers
  • whether the data is stored in New Zealand or overseas
  • how long the data will be retained and when it will be deleted or de-identified
  • whether providing the data is optional or required, and what alternatives exist
  • how the person can request access to or correction of their information
  • who to contact with privacy questions or complaints

The wording should also line up with your privacy policy and your actual practices. If the form says data is deleted when employment ends, but your supplier keeps templates for two years by default, that mismatch can cause trouble.

Employee consent is often the hardest area. A staff member may sign a biometric consent form because they feel they have no real choice, not because they freely agreed.

That does not mean employers can never use biometric systems. It means the business should be cautious about treating consent as the only legal foundation. Before introducing facial recognition for warehouse access or fingerprint scanners for timekeeping, think about whether the requirement is reasonable, whether there is a genuine business need, and whether an alternative process should be offered.

Employment agreements, workplace policies and consultation processes can all matter here. If a business rolls out the system without proper notice or consultation, it may create employee relations issues on top of privacy concerns.

When This Issue Comes Up

Biometric privacy issues usually arise when a business is adopting a new tech tool, tightening security, or trying to speed up verification. The legal work should happen before implementation, not after complaints start.

Staff attendance and access control

Small and medium businesses often encounter this first through time and attendance systems. A provider offers a fingerprint scanner to stop buddy punching, or a face-based access system for a shared office, factory or warehouse.

Before you proceed, ask whether the business problem is significant enough to justify collecting biometric data. If the real issue is weak shift records, a less intrusive attendance system may do the job.

Customer verification and onboarding

Businesses in finance, property, health, hospitality, events and online services may use selfie matching, facial verification or voice authentication to confirm identity. This can feel efficient for remote onboarding, but the customer needs clear notice and the business needs strong controls around storage and use.

This is especially relevant before you launch online or adopt a new app-based registration process. A privacy statement that simply says you collect personal information for service delivery is usually too broad if your app is analysing face images or voiceprints.

High-security sites and sensitive premises

Some businesses have stronger reasons for biometric use, such as restricted areas, hazardous facilities, or premises with valuable stock and controlled access. Even then, the collection should match the risk.

If only a small number of authorised staff need secure access, consider limiting biometric use to that group rather than collecting data from everyone on site, including casual workers and visitors.

Visitor management and event operations

Visitor management platforms sometimes include facial recognition or image matching features. Event operators may also use biometric scanning for entry or crowd management.

These situations can create practical consent problems. A visitor or attendee may have little time to read a policy at the gate, and there may be no real alternative entry method. If the business cannot provide meaningful notice and choice, the system design may need to change.

Supplier-driven implementation

Another common trigger is a software or hardware provider presenting biometric collection as a standard feature. Businesses sometimes sign the contract first, then discover the product stores templates offshore, reuses data for product improvement, or limits deletion rights.

Before you sign a contract, review how the supplier handles personal information, what security certifications it has, whether subcontractors are involved, and whether your business can meet its own promises to staff or customers.

Practical Steps And Common Mistakes

The safest approach is to treat biometrics as a high-risk data project, even if the system seems simple. A short planning exercise before rollout can prevent expensive rework later.

1. Define the exact purpose

Write down the problem you are trying to solve. If the purpose is broad or vague, the collection is much harder to justify.

Good examples include:

  • restricting access to a hazardous storage area
  • verifying the identity of account holders during remote onboarding
  • reducing repeated payroll fraud in a specific workplace where other controls failed

Weak examples include improving efficiency, modernising systems, or wanting a more advanced user experience.

2. Test whether biometrics are necessary

Necessity is the key question. If a less privacy-intrusive option can achieve the same result, that option may be more appropriate.

Compare the proposed system against alternatives such as:

  • PIN or passcode access
  • swipe cards or fobs
  • multi-factor authentication
  • manual ID checks
  • photo ID badges
  • device-based app authentication

Keep a short written record of why you chose biometrics and why alternatives were not suitable. That record can help later if you face questions from staff, customers or the Privacy Commissioner.

Your notice should explain the collection in plain English before or at the time data is collected. The biometric consent form should then capture the person’s agreement in a way that matches the notice.

Avoid legalese, bundled consents and hidden permissions. If you want to use biometric data for more than one purpose, set that out clearly. Do not ask for broad consent to future uses that are not yet defined.

This is where many businesses overstate what consent achieves. If a staff member, contractor, tenant or customer has no realistic alternative, calling the process voluntary may be misleading.

Where choice is limited, think about:

  • whether the collection is still justifiable on necessity grounds
  • whether an alternative method should be offered
  • whether separate consultation or contractual steps are needed
  • how you will handle objections fairly and consistently

5. Review your supplier arrangements

The supplier contract needs attention before you spend money on setup. Your provider may be storing templates, processing raw images, or using cloud hosting outside New Zealand.

Check the contract for:

  • where data is stored and processed
  • whether offshore disclosures occur
  • who owns or controls the biometric templates
  • security standards and incident notification obligations
  • subcontracting rights
  • deletion and return procedures on termination
  • limits on your ability to audit or obtain information
  • whether supplier terms allow reuse for analytics, AI training or product development

If the contract does not support your privacy commitments, update the deal before rollout rather than trying to fix the issue later.

6. Set retention and deletion rules

Biometric data should not be kept forever just because the software can store it. Your business should decide how long templates, scans and related logs are needed, then document deletion triggers.

Examples might include deleting staff biometrics shortly after employment ends, deleting visitor records after a short security window, or removing unused customer verification data once onboarding is complete, unless another legal requirement applies.

7. Tighten access and security

The main risk is not only unlawful collection. It is also unauthorised access, misuse, and breach response failures.

Practical safeguards may include:

  • role-based access controls
  • encryption in transit and at rest
  • separate storage of biometric templates from other identity data where possible
  • multi-factor authentication for administrators
  • logging and audit trails
  • internal restrictions on exports and screenshots
  • staff training on handling sensitive information

If a privacy breach creates a risk of serious harm, New Zealand’s mandatory data breach notification rules may apply. That is another reason to map your systems properly from the start.

8. Align documents and day-to-day practice

Your privacy policy, staff handbook, onboarding materials, customer terms and supplier contract should all tell the same story. Mismatched documents are a common problem.

For example, if your customer terms say identity verification is optional but the app blocks access unless a face scan is uploaded, the legal documents do not reflect reality. The same issue comes up when an employment policy promises deletion on request but payroll systems cannot support that outcome.

Common mistakes businesses make

The most frequent mistakes are practical rather than technical. Businesses often:

  • buy a biometric system before assessing legal necessity
  • copy a generic biometric consent form from another business or overseas template
  • fail to explain overseas hosting or third party processing
  • collect raw images when a less intrusive template-based approach is available
  • keep biometric data longer than needed
  • assume staff consent is enough without consultation or alternatives
  • forget to update internal privacy documents and training
  • treat facial recognition for convenience as if it were the same as essential security use

Each of these issues becomes harder to fix once the system is live, especially if biometric data has already been collected.

FAQs

Not every situation will look identical, but most businesses collecting biometric data should use a clear written consent process and privacy notice. The exact format depends on the context, the people affected, and whether there is any genuine choice.

No. Employee consent can help, but employers should also consider whether the collection is necessary, reasonable, properly consulted on, and supported by clear policies and employment documentation.

Can we store biometric data overseas?

Possibly, but you need to understand where the information is going, what safeguards apply, and whether your disclosures are properly covered in your privacy communications and supplier arrangements. Offshore storage should be reviewed carefully before rollout.

What if someone refuses to provide biometric data?

The answer depends on why the data is being collected and whether a practical alternative exists. If the collection is not truly necessary, refusal may indicate you should offer another method rather than force biometric collection.

No. A privacy policy is useful background information, but it will not usually be enough on its own for a specific biometric collection process. A separate, tailored consent form and collection notice are usually safer.

Key Takeaways

  • A biometric consent form is helpful evidence of agreement, but it does not replace your broader privacy obligations under New Zealand law.
  • Your business should only collect biometric data for a clear, lawful and necessary purpose connected to its operations.
  • Staff and customers need specific notice about what is collected, why it is needed, who handles it, where it is stored, and how long it is kept.
  • Employee consent needs extra care because unequal bargaining power can make consent less meaningful in practice.
  • Supplier contracts, offshore hosting, data security, retention rules and breach response plans all need review before implementation.
  • The biggest practical mistake is adopting a biometric system first and trying to patch the legal documents later.

If your business is dealing with biometric consent form and wants help with privacy collection notices, biometric consent forms, supplier contract reviews, data retention and breach planning, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Cross-border Data Transfer Addendums: Privacy Issues for New Zealand Businesses

Cross-border Data Transfer Addendums: Privacy Issues for New Zealand Businesses

Using overseas software or service providers can expose New Zealand businesses to privacy risk if personal information is transferred offshore without the

9 May 2026
Read more
Is It Legal To Record Or Photograph A Child Without Consent In NZ?

Is It Legal To Record Or Photograph A Child Without Consent In NZ?

If you run a small business, there’s a good chance you’ll come across situations where children appear in photos or recordings. Maybe you’re filming content for social media, running a school holiday...

9 May 2026
Read more
Is It Legal To Record Conversations In New Zealand?

Is It Legal To Record Conversations In New Zealand?

If you run a small business, there’s a good chance you’ve thought about recording conversations at some point. Maybe you want to record customer service calls for training, keep a clear record...

9 May 2026
Read more
Is It Legal To Record A Phone Call In New Zealand?

Is It Legal To Record A Phone Call In New Zealand?

If you run a small business, recording phone calls can be incredibly useful. It can help you train staff, improve customer service, keep accurate notes, resolve disputes, and even manage safety or...

9 May 2026
Read more
Privacy Notices and Consent Requirements for Managed IT Service Providers

Privacy Notices and Consent Requirements for Managed IT Service Providers

Managed IT service providers in New Zealand often handle large volumes of personal information, but many still rely on generic privacy wording or overuse

8 May 2026
Read more
Is ChatGPT Confidential? Data Privacy And Confidentiality For NZ Businesses

Is ChatGPT Confidential? Data Privacy And Confidentiality For NZ Businesses

If you’re running a small business, it’s easy to see why AI tools are tempting. They can help you draft emails faster, brainstorm marketing ideas, summarise notes, and even create first drafts...

8 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call