Biometric Identity and Privacy

Biometric Identity Verification refers to confirming who someone is by measuring something intrinsic about who they are. Some examples:

• Unlocking your phone with your fingerprint.

• Matching DNA in saliva with DNA in blood.

• Matching facial measurements against a photo in a passport.

Our biological bodies are pretty unique. So, it’s much harder to impersonate someone if it is confirmed biometrically. This is what makes biometric identity verification great for reducing identity fraud.

2Shakes’ Biometric Identity Verification compares someone's face from a live video they take of themselves on a mobile phone to a photo on their Passport or Driver License. It sounds much simpler than it is. The process uses hundreds of measurements in complex ways. It’s face match checks eyes, nose, philtrum, jaw, forehead, mouth, brow and liveness. It also assesses the validity of the Passport or Driver License to check that it is genuine, by checking document integrity, image composition, that it is genuine and not a photo, and detail checks. The data and address details are also verified against trusted sources, including the issuing government agency. You can find more details here on 2Shakes biometric checks.

Biometric data needs to be treated with respect. Biometric data is sensitive, Personally Identifiable Information - just ask anyone who hates having their photo taken! And now there are specific laws to ensure Biometric Information is used in an appropriate, secure and consensual way. 

When you use 2Shakes to carry out Biometric Identity Verification, you need to be aware that there are 13 rules of the Biometric Processing Privacy Code that apply.  

The Biometric Processing Privacy Code comes into effect in New Zealand from November 3 2025 for new processes. If you are already using biometric identity in existing processes then it comes into effect for you on August 3 2026.

Now is a good time to do a review of your Privacy Policy, so you can confirm everything is aligned and ready. Then if anyone is a little nervous regarding Biometric Verification you can explain how you are using biometric technology in a way that puts the protection of privacy safeguards first, across collection, use, and disclosure of their biometric data.  

To help you, here is a summary of the 13 rules and how 2Shakes helps you comply:  

 1. Purpose of Collection: Biometric information can only be collected for a lawful purpose connected to an agency's functions and must be necessary and proportionate to the privacy risks. 

Using 2Shakes for Biometric identity verification is lawful. In NZ it is a preferred method to identify someone you haven’t met for AML or other purposes.   

2. Source of Biometric Sample Must be obtained from the individual directly. 

2Shakes only works if the sample is collected directly from the individual (via their mobile phone camera). To see the steps of the process work go to the 2shakes Biometric page. 

3. Notification/Transparency: You must inform people when and why their biometric information is being collected, along with other relevant details such as the purpose and available alternatives. 

When someone starts a 2Shakes biometric identity verification they see a description of the process and are told why it's needed. They must give consent to continue. 2Shakes allows you to offer alternative methods (manual or electronic) for verifying identity, to see more on these options see the 2shakes ID options page.

4. Manner of Collection: The collection of biometric information must be fair and not unreasonably intrusive.  

The 2Shakes process is simple and under the user’s control.  It takes a couple of minutes of their time, and can be done anywhere they have internet access on their phone.

5. Storage and Security: Biometric information must be stored securely to reduce privacy risks. 

All information in 2Shakes is securely stored and held in line with privacy law. For more details, see our Data Protection and Privacy Policy pages.

6. Access: Individuals can request access to their biometric information and confirmation of its type. 

You are able to access all information on your client’s in 2Shakes, and can provide it on request in line with the Privacy Act, 2020. 

7. Correction: Individuals have the right to request the correction of their biometric information. 

2Shakes allows for notes and files related to corrections to be stored in its system to enable corrections and decision records to be stored for reference and as auditable records. You can see more information at 2Shakes Notes page. 

8. Accuracy: Biometric information must be kept accurate and up-to-date. 

2Shakes ongoing customer due diligence and renewal functionality allows for the maintenance of data over time. See the Renewals Ongoing CDD page for more details. 

9. Retention: Biometric information should not be kept for longer than necessary. 

2Shakes dashboard makes it easy to find records by age, and to archive and delete records.  Our Ongoing CDD functionality also allows you to search for information related to AML CDD by date.  

NOTE: As a business the rules you have established on how long you retain records will guide retention of biometric identity data and records.  See, for example, your AML Programme.

10. Limits on Use: The use of biometric information is limited to the purpose for which it was collected. Highly intrusive uses like inferring sensitive information are restricted. 

11. Disclosure: Biometric information should only be disclosed when there is a good reason. 

12. Overseas Disclosure: Biometric information sent outside New Zealand must be adequately protected. 

2Shakes customers are bound by our Terms of Use and Privacy, which ensure compliance with 10, 11 and 12. In addition, 2Shakes user access controls enable restriction to appropriately authorised users. See User Access for details.  

NOTE: Your privacy policy needs to outline any rules around sharing or disclosure of biometric identity information.  

13. Unique Identifiers: The assignment of unique identifiers (other than the name itself) using biometric information is subject to specific technical restrictions. 

2Shakes relies on people and business names to locate information, rather than technical identifiers. The Biometric Verification has a report number.

Where to Find More Information: 

• The Biometric Processing Privacy Code 2025 and related guidance & factsheets is on the Office of the Privacy Commissioner website https://www.privacy.org.nz/resources-and-learning/a-z-topics/biometrics/ 

• The official press release on why this law matters – ‘It is not just information about us, it is us’, from Privacy Commissioner Michael Webster. 

• If you need further information please reach out the team support@2shakes.co.nz.