The Biometric Processing Privacy Code and AI in New Zealand in 2026

New Zealand’s Biometric Processing Privacy Code, in force since 3 November 2025, sets binding rules for facial recognition and other biometric AI. What it requires and who has until August 2026 to comply.

dgm is an independent osFoundry integration partner — not affiliated with the company that makes osFoundry, and dgm has not yet completed any client integrations. This article describes services dgm offers, not past results.

New Zealand’s Biometric Processing Privacy Code 2025 sets binding rules for biometric AI such as facial recognition. It has been in force since 3 November 2025, with a grace period for existing agencies.

Key points

• The Code is a binding code of practice under the Privacy Act 2020
• In force from 3 November 2025 for new biometric processing
• Existing agencies have until 3 August 2026 to comply
• It applies to facial recognition, fingerprints and other biometric information

The detail

New Zealand’s data-protection law is the Privacy Act 2020, in force since 1 December 2020 (it replaced the Privacy Act 1993). It is built around 13 Information Privacy Principles (IPPs) and is enforced by the Office of the Privacy Commissioner (OPC / Te Mana Mātāpono Matatapu). It is New Zealand’s own law — not the GDPR. Two recent additions matter for AI: IPP 12 governs disclosing personal information to anyone outside New Zealand (you must reasonably believe the overseas recipient is subject to comparable safeguards — the OPC publishes model contract clauses), and a new IPP 3A (from the Privacy Amendment Act 2025, in force 1 May 2026) adds a notification duty when you collect someone’s personal information indirectly. There is a mandatory notifiable-breach scheme: if a privacy breach is likely to cause serious harm, you must notify the OPC and affected individuals as soon as practicable. A binding Biometric Processing Privacy Code 2025 has been in force since 3 November 2025 (existing agencies have until 3 August 2026 to comply). The OPC has also published guidance on AI and the IPPs — its expectations include leadership sign-off, a privacy impact assessment before use, transparency, consulting Māori on risks and impacts, and human review of AI outputs.

Where this leaves your AI project

A model-agnostic platform like osFoundry helps you meet these obligations in practice — you can keep data in New Zealand (an Auckland region or local-first), control model choice via BYOK, and connect to your own systems. dgm can help you scope and implement with this in mind.

How dgm can help

dgm is an independent integration partner that helps New Zealand organisations put osFoundry to work — from choosing a worthwhile first use case through to the hands-on build and connecting it to the systems you already run. dgm is not affiliated with the company that makes osFoundry, and it has not yet completed any client integrations, so what is described here is the service dgm offers, not past results. If you want help scoping a realistic first project, dgm can work through it with you.

This article is general information only and is not legal, tax or investment advice. Rates, caps and programme status change — confirm the current position with the relevant official body or a licensed adviser before you act.

Related reading

• The Privacy Act 2020 and AI
• Is AI regulated in New Zealand?
• Responsible AI governance for New Zealand organisations
• Data residency in New Zealand and AI: a practical guide