25th August.
A Comprehensive Guide to New Zealand’s Biometric Processing Privacy Code and How ORTUS AI Ensures Business Compliance
The New Zealand Privacy Commissioner has issued the Biometric Processing Privacy Code (the Code), effective 3 November 2025. This landmark legislation, which has the force of law, replaces the general Information Privacy Principles of the Privacy Act for any agency using automated biometric processes. For New Zealand businesses, this is a critical development that demands proactive preparation to maintain customer trust, avoid compliance risks, and ensure a smooth transition by the deadline of 3 August 2026.
ORTUS AI's product suite is uniquely positioned to help New Zealand businesses not only achieve compliance but also leverage technology in a responsible, ethical, and effective manner.
This document provides a comprehensive overview of the Code’s key obligations and details how the ORTUS AI product suite is specifically designed to address each requirement, ensuring your business is ready for the new regulatory landscape.
Understanding the Key Obligations of the New Code
The Code introduces several critical obligations that go beyond standard privacy principles. For businesses, these can be complex, and a well-thought-out approach is required.
1. Necessity and Proportionality: The Code's core principle is that any use of biometrics must be truly necessary, effective, and proportionate to a lawful purpose. This requires an evidence-based decision-making process. Businesses must be prepared to show that the benefits of using biometrics clearly outweigh the privacy risks, and that less intrusive alternatives (like improved staffing, store design, or traditional surveillance) would not be as effective in practice.
2. Transparency and Consent: Transparency is a cornerstone of the Code. Businesses must clearly and conspicuously inform individuals about the use of a biometric system before or at the time of collection. This notification must explain what data is being collected, why, how it will be used, what alternatives are available, and where an individual can access the business's proportionality assessment.
3. Data Security and Safeguards: The Code mandates robust security measures to protect biometric data from misuse, loss, or unauthorized access. This includes secure storage, strict access controls, and prompt deletion of data when no longer needed. The Code also requires transparent governance processes, which includes clear policies and staff training.
4. Bias and Accuracy Concerns: The Code addresses the risk of bias and inaccuracy in biometric systems. It explicitly limits particularly intrusive uses like predicting emotions or inferring sensitive characteristics such as ethnicity or sex. Businesses must ensure their systems are reliable, tested for fairness, and do not lead to discriminatory outcomes.
5. Cultural and Social Considerations: The Code places a specific emphasis on assessing the cultural and social impacts of biometric technologies, particularly in relation to Māori and other communities. This requires businesses to be mindful of how their systems may affect different groups and to ensure fair and equitable outcomes for all. Data sovereignty and the potential for a surveilled society are key concerns the Code aims to address.
How ORTUS AI Addresses These Obligations
The ORTUS AI product suite provides a comprehensive and ethical framework for navigating these requirements. By focusing on data minimization and a privacy-by-design approach, ORTUS AI helps businesses achieve their goals while building a foundation of trust and compliance.
1. Addressing Necessity and Proportionality with Non-Intrusive Analytics
ORTUS AI provides the biometric-specific guardrails required by the Code by first offering a suite of powerful, non-biometric analytical tools. This allows a business to establish a solid, data-driven case for any future need for biometrics.
ORTUS Live & X.ZONE: These modules empower businesses with granular data on foot traffic, dwell time, and visitor flow. Businesses can use these insights to optimize store layouts, manage queues at checkouts, and improve customer flow. This data helps prove that a business is using the least intrusive methods to address issues, satisfying the necessity test before even considering biometrics.
Case-by-Case Justification: If a business's primary objective is to combat crime, they can first deploy ORTUS AI’s non-biometric people and vehicle detection and tracking. If data shows that crime persists despite these measures, the documented evidence can be used to justify the necessity of a biometric solution for a specific, lawful purpose—a key requirement of the Code.
2. Ensuring Transparency and Consent through Integrated Design
ORTUS AI’s architecture facilitates the clear and conspicuous notification required by the Code.
API-First Design: The platform's API-first design allows for seamless integration with existing in-store digital signage and customer-facing applications. This enables the creation of custom interfaces that clearly and conspicuously display required notices about data collection, the purpose, and any available alternatives, such as self-checkout or staffed tills.
Privacy Controls: ORTUS AI's flexible privacy controls allow businesses to manage sensitive data on a granular level. The platform can be configured to not collect or store sensitive biometric information, helping businesses build trust with their customers by demonstrating a commitment to privacy that goes beyond mere compliance.
3. Delivering Robust Data Security and Safeguards
ORTUS AI is built to meet and exceed the Code’s security requirements from the ground up.
Privacy by Design: At its core, ORTUS AI is built on a privacy by design philosophy. It ensures that no sensitive or uniquely identifiable information is collected or stored. The blurred + long exposure background images feature provides visual context to security teams without compromising an individual's identity, thereby mitigating the risk of unauthorized access to personal data.
Secure Access & Compliance: The platform offers Single Sign-On (SSO) integration with leading identity providers like Okta and Microsoft AD, along with granular user authorization (RBAC). This ensures that only authorized personnel can access the system. ORTUS AI's alignment with SOC 2 Type II and ISO 27001 standards provides a high level of assurance that the platform meets internationally recognized security practices, giving New Zealand businesses confidence in its data handling.
4. Mitigating Bias and Accuracy Concerns
The Code addresses the risks of bias, a significant concern. ORTUS AI’s approach to technology helps businesses navigate this ethically.
Primary Value Proposition: ORTUS AI’s primary value proposition is to provide actionable insights using non-biometric data. This approach inherently avoids the risk of bias associated with the profiling or categorization of individuals based on ethnicity, gender, or other sensitive characteristics. This directly addresses the Code's restrictions on intrusive uses of biometrics.
Continuous Improvement: The ORTUS AI roadmap includes ongoing development of new detection models and new tracking algorithms, demonstrating a commitment to continuously improving accuracy and reliability.
5. Respecting Cultural and Social Considerations
ORTUS AI's flexible architecture and deployment options are designed to respect cultural and social considerations, particularly in a diverse market like New Zealand.
On-Premise Deployment: The platform's support for off-line/on-premise deployments allows businesses to maintain full control over their data, keeping it entirely within their own secure networks. This addresses concerns around data sovereignty and is critical for building trust with communities who may be wary of having their information sent overseas.
Flexible Deployment & Controls: The platform can be deployed in a way that respects diverse organizational structures and community-specific data management policies, ensuring fair and equitable outcomes.