Biometric Identity and Privacy
Biometric Identity Verification refers to confirming who someone is by measuring something biological. Some examples:
Unlocking your phone with your fingerprint.
Matching DNA in saliva with DNA in blood.
Matching facial measurements against a photo in a passport.
Using a photo or video to identify someone is Biometric process.
Our biological bodies are pretty unique. So, it’s much harder to ‘impersonate an identity’ if it is confirmed biometrically. This is what makes biometric identity verification great for reducing identity fraud.
2Shakes biometric identity verification compares someone's face from a live video they take of themselves on a mobile phone to a photo on their passport or Driver License. It sounds much simpler than it is. The process uses hundreds of measurements in complex ways. Its face match checks eyes, nose, philtrum, jaw, forehead, mouth, brow and liveness. It also assesses the validity of the passport or driver license to check if it is genuine, by checking document integrity, image composition, photo and, detail checks. The data and address details are also verified against trusted sources. You can find more details here on 2Shakes biometric checks.
Biometric data needs to be treated with respect. Anyone who hates having their photo taken, will tell you that biometric data is sensitive information. And now there are laws to ensure it is used in an appropriate, secure and consensual way.
When you use 2Shakes to do biometric identity verification then you need to be aware that there are 13 rules of the biometric processing privacy code that apply.
The biometric processing privacy code comes into effect in New Zealand from November 3, 2025 for new processes. If you are already using biometric identity then it comes into effect for you by August 3, 2026, for existing processes. Now is a good time to do a review of your privacy policy. You can confirm everything is aligned and be ready. Then if anyone is a little nervous you can confidently let them know that you are using biometric technology in a way that puts the protection of privacy safeguards first, across collection, use, and disclosure of their biometric data.
To help you, here is a summary of the 13 rules and how with 2Shakes you comply:
1. Purpose of Collection: Biometric information can only be collected for a lawful purpose connected to an agency's functions and must be necessary and proportionate to the privacy risks.
Using 2Shakes for Biometric identity verification is lawful. In NZ it is the preferred method to identify someone you haven’t met for AML or IR purposes.
2. Source of Biometric Sample Must be obtained from the individual directly.
2Shakes only works if the sample is collected directly from the individual. To see the steps of the process work go to 2shakes Biometric page.
3. Notification/Transparency: You must inform people when and why their biometric information is being collected, along with other relevant details such as the purpose and available alternatives.
When someone starts a 2Shakes biometric identity verification they see a description of the process and are told why it's needed. They must give consent to continue. 2Shakes allows you to offer alternative methods (manual or electronic) for verifying identity, to see more on these options see 2shakes ID options page.
4. Manner of Collection: The collection of biometric information must be fair and not unreasonably intrusive.
The 2Shakes process is simple and under the users control.
6. Storage and Security: Biometric information must be stored securely to reduce privacy risks.
All information in 2Shakes is securely stored and held in line with privacy law. You can see the 2Shakes Privacy PolicyU
6. Access: Individuals can request access to their biometric information and confirmation of its type.
All information in 2Shakes can be provided on request in line with the Privacy Act, 2020.
7. Correction: Individuals have the right to request the correction of their biometric information.
2Shakes allows for notes and files related to corrections to be stored in its system to enable corrections and decisions records to be stored for reference and as auditable records. You can see more information at 2Shakes Notes page.
8. Accuracy: Biometric information must be kept accurate and up-to-date.
2Shakes ongoing customer due diligence and renewal functionality facilitates the maintenance of data including Biometric Identity data over time. See the Renewals Ongoing CDD page for more details.
9. Retention: Biometric information should not be kept for longer than necessary.
2Shakes dashboard makes it easy to find records by age, and to archive and delete records. Our Ongoing CDD functionality also allows you to search for information related to AML CDD by age.
NOTE: As a business the rules you have established on how long you retain records will guide retention of biometric identity data and records.
10. Limits on Use: The use of biometric information is limited to the purpose for which it was collected. Highly intrusive uses like inferring sensitive information are restricted.
11. Disclosure: Biometric information should only be disclosed when there is a good reason.
12. Overseas Disclosure: Biometric information sent outside New Zealand must be adequately protected.
2Shakes user access controls enable restriction of access to appropriately authorised users. See User Access for details on how to do this.
NOTE: Your privacy policy needs to outline any rules around sharing or disclosure of biometric identity information.
13. Unique Identifiers: The assignment of unique identifiers (other than the name itself) using biometric information is subject to specific technical restrictions.
2Shakes relies on people and business names to locate information, rather than technical identifiers.
Where to Find More Information:
The Biometric Processing Privacy Code 2025 and related guidance & factsheets is on the Office of the Privacy Commissioner website https://www.privacy.org.nz/resources-and-learning/a-z-topics/biometrics/
The official press release on Why this law matters – ‘It is not just information about us, it is us’, from Privacy Commissioner Michael Webster.
If you need further information please reach out the team support@2shakes.co.nz.