New rule 3A introduced to the Biometric Processing Privacy Code

The Office of the Privacy Commissioner (OPC) has now settled how Information Privacy Principle 3A (IPP3A) will be incorporated into the Biometric Processing Privacy Code 2025 (the Code): through a new rule 3A dealing with indirect collection. This is an important development for agencies using biometric information for biometric processing, because it confirms that compliance does not stop at the point of direct capture.

New IPP3A applies from 1 May 2026 to personal information collected indirectly. In broad terms, where an agency collects personal information from someone other than the individual concerned, it must take reasonable steps, as soon as reasonably practicable after collection, to ensure the individual is aware of specified matters unless an exception applies. IPP3A does not apply to personal information collected indirectly before 1 May 2026. You can read more about IPP3A here.

New rule 3A

The OPC has now incorporated this indirect collection notification concept into the Code through a new rule 3A.

The Code already replaces the Information Privacy Principles in the Privacy Act 2020 with 13 targeted rules for biometric information, including a rule 3 that requires agencies to tell people about the collection of biometric information for the purpose of biometric processing where the biometric information is collected directly from the individual. Biometric information is regarded as highly sensitive personal information because it is closely connected to identity, may be difficult or impossible to replace if compromised, and can create broader concerns about surveillance, exclusion and fairness. You can read more about the Code here.

Rule 3A is being added to the Code to reflect IPP3A but will be modified to align with the existing rules and exceptions in the Code. The aim is clarity and consistency – agencies will have biometric-specific notification rules for both direct and indirect collection. So, for biometric deployments:

• Direct collection (e.g., an employer enrolling employees into a biometric verification access system operated by the employer) will be governed by rule 3.

• Indirect collection (e.g., a shared workspace business receiving biometric templates collected by an employer cohabiting in the shared workspace to enrol its employees into a biometric verification access system operated by the shared workspace business) will be governed by rule 3A.

In practice, rule 3A narrows IPP3A to make it fit with rule 3 of the Code, which is itself stricter than IPP3, especially as to the content and presentation of notices.

In particular, rule 3A of the Code does not include the full set of statutory exceptions available in IPP3A. The “not reasonably practicable”, “publicly available information”, “no prejudice to the individual” and “information used in a form where individual not identifiable” exceptions have been excluded from rule 3A. Agencies will also need to comply with the extra notification matters that are required by rule 3(1) and 3(2) of the Code compared with IPP3/IPP3A (such as whether there is any available alternative option).

Operationalising rule 3A

In practice, there may be situations where both IPP3A and rule 3A are relevant, and agencies will have to decide how to comply when the statutory frameworks do not fully align.

This could arise, for example, in a commercial scenario involving the use of a multi-party biometric identification system. Agencies could be subject to rule 3A of the Code for their biometric processing activities (i.e., indirectly collecting biometric information for the purpose of biometric processing) and subject to IPP3A for any indirect collection of other personal information (e.g., the names of individuals). In that scenario, agencies would have to apply one framework to the non-biometric processing components of the process (full IPP3A) and apply a different, narrower framework to the biometric processing components (rule 3A), even if both sets of information travel through the same technical pipelines and are presented to individuals in a single privacy notice.

This fragmentation may make it harder for agencies to design a coherent and efficient notification strategy. Agencies may still present a single privacy notice, but that notice must satisfy the IPP3A requirements for non-biometric processing and the Code’s more specific biometric-notification requirements where biometric processing is involved.

In these data-sharing arrangements, agencies cannot assume that the direct collector’s privacy notice solves the issue for everyone downstream. The logic of IPP3A, reflected in new rule 3A, is that the agency collecting the information indirectly bears the obligation of notification, and must be satisfied that the individual has been made aware of the relevant matters unless a recognised exception can properly be relied on. If the downstream indirect collector wants to rely on an upstream notice to satisfy the “previously been made aware” exception, it must have a sound evidential basis for concluding that the earlier notice made the individual aware of all the required matters (including the specific recipient and purposes).

Timing

The amendment to the Code to add rule 3A applies from 1 May 2026, which aligns with the commencement of IPP3A itself. However, the existing transition period for agencies already using biometric processing to become compliant with the Code remains until 3 August 2026.

The OPC’s position is that this means that:

• Agencies that started biometric processing after 3 November 2025 – when the Code took effect – must comply with rule 3A on 1 May 2026.

• Agencies that started biometric processing before or on 3 November 2025 must comply with rule 3A on 3 August 2026.

As with IPP3A, to give effect to rule 3A agencies will need to map biometric data flows carefully to identify where biometric information for biometric processing is collected directly, where it is received indirectly, which parties are acting only as service providers, and what notifications travel through which systems. Agencies will also need to review their privacy notices, check whether contractual arrangements support compliance with rule 3A and assess carefully whether any statutory exceptions apply.

Please contact our team if your organisation needs advice on complying with rule 3A.

‍