Privacy Commissioner Michael Webster has found that the live facial recognition technology model trialled by Foodstuffs North Island is compliant with the Privacy Act.
However, his Inquiry report released today, shows that any business considering or using FRT needs to make sure it sets things up right to stay within the law.
“While the use of FRT during the trial was effective at reducing harmful behaviour (especially reducing serious violent incidents) it has also shown that there are many things that need to be taken into account.
“FRT systems have potential safety benefits, but they do raise significant privacy concerns, including the unnecessary or unfair collection of people’s information, misidentification, technical bias which can reinforce existing inequities and human bias, or the ability to be used for surveillance”.
“These issues become particularly critical when people need to access essential services such as supermarkets. FRT will only be acceptable if the use is necessary and the privacy risks are successfully managed”.
The purpose of the Privacy Commissioner’s Inquiry into Foodstuffs North Island’s trial use of live FRT was to understand its privacy impacts, its compliance with the Privacy Act, and to evaluate if it was an effective tool in reducing serious retail crime compared with other less privacy intrusive options.
The Inquiry found while the level of privacy intrusion was high because every visitor’s face is collected, the privacy safeguards used in the trial reduced it to an acceptable level.
“Foodstuffs North Island designed the privacy safeguards used in the trial with feedback from my Office. This has provided some useful lessons for other businesses which may be considering using FRT.”
The main privacy safeguards in place during the trial were:
Images that did not result in a positive match were deleted immediately, as recommended by OPC – this meant there was very little privacy impact on most people who entered the trial stores.
The system was set up to only identify people who had engaged in seriously harmful behaviour, particularly violent offending.
Staff were not permitted to add images of children or young people under 18, or people thought to be vulnerable, to the watchlist.
There was no sharing of watchlist information between stores.
During the trial, the operational threshold that triggered an FRT alert was raised from 90% to 92.5% likelihood of the images matching, reducing the chances that people would be misidentified while managing down the “computer says yes” risk.
Match alerts were verified by two trained staff, ensuring that human decision making was a key part of the process.
Access to the FRT system and information was restricted to trained authorised staff only.
Images collected were not permitted to be used for training data purposes.
Systems were reviewed and improved during the trial where misidentifications or errors occurred.
“There is still some work to do to increase the safety and effectiveness of FRT software use in the New Zealand context, as FRT technology has been developed overseas and has not been trained on the New Zealand population.
“As a result, we can’t be completely confident it has fully addressed technical bias issues, including the potential negative impact on Māori and Pacific people. This means the technology must only be used with the right processes in place, including human checks that an alert is accurate before acting on it.”
“Some improvements will also need to be made by FSNI before the use of FRT is made permanent or expanded to more stores. These focus on ensuring the documented processes and system settings are updated to match what happens in practice, including ongoing review of the use of FRT to make sure its use is justified as an effective tool for reducing serious harm offending.
“I also expect that Foodstuffs North Island will put in place monitoring and review to allow it to evaluate the impact of skin tone on identification accuracy and store response, and to provide confidence to the regulator and customers that key privacy safeguards remain in place.
“The trial findings will help other businesses to ask the right questions about whether FRT is necessary and appropriate for them and to understand what they would need to do to set FRT up and run it in a privacy protective way.”
The report sets out my expectations for the use of FRT across nine key areas, says the Privacy Commissioner.
The FRT trial started on 8 February and ended on 7 September 2024 and ran in 25 supermarkets. During the trial, 225,972,004 faces were scanned (includes multiple scans of the same person), with 99.999% of these deleted within one minute, and there were 1742 alerts of which 1208 were confirmed matches. See our infographic of FRT by the numbers.
OPC is currently developing a Biometric Processing Privacy Code, which applies to biometric information, including a photo of someone’s face used in a Facial Recognition System. The new Code is expected to be published in mid-2025. The Biometrics Code is designed to provide guardrails for the safe use of biometrics generally, including FRT, in New Zealand.
Please attribute to Taupo Area Investigations Manager, Detective Senior Sergeant Ryan Yardley:
Police have launched a homicide investigation, and a man has been charged with murder, after a man seriously injured in Tokoroa last week has now died.
Officers were called to an Abercorn Place address about 4:15am on Tuesday 27 May, to reports that a man had been injured by a male known to him outside his house.
The man was rushed to Waikato Hospital in critical condition, but has since passed away.
A 21-year-old man has been arrested and charged with murder. He is next due to appear in the High Court at Rotorua on 27 June.
Police are still working to establish the full sequence of events that led to the man’s death, and we’d like to hear from anyone who witnessed anything, or has any information that might help our investigation.
We’d also like to see any dashcam or CCTV footage anyone may have from around the time in question.
If you can help, please use our 105 service, quoting reference number 250527/7868.
You can also give information anonymously through Crime Stoppers on 0800 555 111.
Smart changes proposed for Mount Smart Road will mean less time stuck in traffic at the end of a long day.
As Royal Oak continues to grow, so does the need for smarter, more efficient ways to get around. That’s why Auckland Transport (AT) is seeking feedback on a plan to help keep Mount Smart Road moving from Victoria Street to the busy Royal Oak roundabout.
Mount Smart Road connects Penrose with Onehunga and Royal Oak, carrying around 18,000 vehicles daily. In the evening, trips through this area can take more than twice as long as off-peak, with average speeds dropping to as low as 15km/h.
To help ease congestion, a new T3 transit lane heading towards the roundabout, has been proposed. This will operate from 4-7pm on weekdays and be reserved for buses, motorcycles, cyclists, and vehicles with three or more people.
Maungakiekie-Tāmaki Local Board chair Maria Meredith said a quick-fix, low-cost solution will enable more efficient traffic movements in the early evenings.
“Mount Smart Road is often gridlocked in the evenings, but widening it isn’t an option without affecting nearby homes. Adding a transit lane is a smart, low-cost way to keep people moving,” she said.
“This initiative targets one of our community’s busiest roads, which currently sees evening travel times more than double compared to off-peak hours. We want to see congestion eased, so people can spend less time in traffic.”
Broken yellow lines will also need to be added at four bus stops along Mount Smart Road to ensure that buses can enter and exit the stops safely.
AT is seeking feedback from the community on this proposal, with a second community drop-in session planned for Oranga Community Centre, 1 – 3pm on Saturday 07 June 2025.
Have your say on the Auckland Transport website by 15 June 2025.
New data showing international visitor spending increased by almost ten per cent on the previous year is welcome news, Tourism and Hospitality Minister Louise Upston says.
“Tourism is our second highest export earner and today’s results show just how important the sector is to unleashing economic growth in New Zealand,” Louise Upston says.
International Visitor Survey results show for the year ending March 2025, international tourism contributed $12.2 billion to New Zealand’s economy, up 9.2 per cent compared to the previous year.
This reflects an increase of 4.3 per cent in international visitor arrivals, with 3.32 million visitors coming to New Zealand, up from 3.18 million in 2024.
“In real terms, that means more bookings in our restaurants, more reservations at local accommodation and visitor experience providers, more people visiting our regions and attractions, more jobs being created across the country, and an overall stronger economy.”
When adjusted for inflation, this equates international spending to $9.7 billion or 86 per cent of pre-pandemic levels.
“The growth in visitor numbers and spending is very encouraging but there is still more work to do to ensure tourism and hospitality can really thrive,” Louise Upston says.
“Amongst other initiatives, the Government announced a $20.4 million Tourism Boost package this year to help drive visitor numbers.
“New Zealand is open for business, and we look forward to welcoming more visitors to our beautiful country.”
Working with third-party providers: understanding your privacy responsibilities
Your responsibility for the personal information stored or processed by a third-party provider comes from Section 11 of the Privacy Act.
Personal information is any information which tells us something about a specific individual. People’s names, contact details, financial, health and purchase records can all be personal information. The information doesn’t need to name the individual, if they are identifiable in other ways, like through their home address or another identifier, or if their identity could be pieced together. Read more about what we mean by personal information.
This guidance is for organisations who are thinking about using a third-party provider, or those who already do. If you use a third-party provider to store or process personal information on your behalf, you are still responsible for what happens to that information.
This guidance explains what you must think about when you are choosing a third-party provider and what your ongoing responsibilities are. We have a wider suite of guidance ‘Poupou Matatapu’ to find out more about how to ‘do privacy well’ and what good privacy practice looks like.
Your organisation is responsible for your personal information when stored or processed by a third-party provider
The key thing to remember is that you remain responsible for personal information that you send to a third-party provider.
What do we mean by third-party provider?
‘Third-party’ means an organisation external to your organisation.
‘Third-party provider,’ also known as a ‘third-party’ or ‘service provider,’ is a broad term that can be applied to a range of external organisations that provide services to your organisation, such as storing or processing information on your organisation’s behalf. Software as a Service (SaaS) or cloud service providers are a classic example. However, there is a wide range of other third-party providers you might contract with who may need to store or process personal information provided by your organisation to deliver their service to you.
For example, you might:
Share employee pay information with an external payroll provider or accountant.
Contract a company to collect information for a survey.
Use another organisation to provide personalised services for your customers.
Use an intermediary platform that shares the information with other third parties.
Before you engage a third-party provider, you need to understand:
What types of personal information you’ll share with them, or they’ll collect on your behalf.
What they will do with it.
Do they need personal information?
First, understand whether your organisation needs to provide personal information to the third-party provider at all. You should consider if you can achieve the results you want from a third-party provider without providing any personal information.
For example, your organisation might like to use a third-party marketing agency to provide advertising services. Marketing agencies can offer a range of services, from sourcing advertising on billboards or online advertising (which would not require any personal information), to using the information collected from an organisation’s existing customer database to create marketing strategies (which might require personal information, depending on the task).
Think about whether supplying aggregated, non-personal information might enable the marketing agency to perform the service adequately.
Please note: when changing the way you use clients’ or staff’s personal information, you need to assess the privacy risk and make sure you’re being transparent through your privacy statement to reflect any changes in use of personal information. We have guidance on how to improve your privacy transparency. We also have a PIA toolkit available to help assess the privacy risks.
What kind of personal information is it?
It’s important to understand the level of privacy risk that you’ll need to manage with your third-party provider. We have guidance on different kinds of personal information that may carry higher privacy risk, such as where the information is sensitive or confidential.
For example, an organisation might employ the use of a third-party software provider to manage their payroll. Information required to process payroll can be sensitive, such as bank account and IRD numbers. Appropriate security measures need to be in place. We have guidance on handling sensitive information.
Due diligence
You will need to be confident that the information is protected wherever it is, and whatever organisation is handling it. Ask questions that enable you to have that confidence (this is normally referred to as ‘due diligence’), and ask those questions early, before you commit to using the provider.
Any subsequent contract with that provider should satisfactorily reflect the key protections that you expect to be in place. It should also require the third-party to ensure that any subcontractors or support agencies will equally protect the information. Your organisation needs to know whether the third-party provider will use or disclose the personal information that you provide for its own business purposes.
What will the third-party provider do with the information?
There are a range of services that third-party providers offer. Some third-party providers will merely store the information and some will process the information for you (for example, a service providing data analytics). Some may themselves use third-party services such as generative AI tools to store or process the information.
A key thing to understand is whether the third-party provider will use the information for their own purposes or not. Some examples of third parties using information for their own purposes could be when your information is used as AI training data or using the information you provide for services to other organisations.
If the third-party provider is storing or processing the information solely on your behalf (for example storing information as a cloud service) and will not use or disclose it for its own purposes, section 11 of the Privacy Act says that the third-party provider is not deemed to “hold” the personal information for the purposes of the Privacy Act. This also means that you are not “disclosing” the information to them, which means you do not need to worry about the Privacy Act’s disclosure principle (IPP 11). But as a result, your organisation remains fully responsible under the Privacy Act for what happens to that information. The third-party is “you” for the purposes of the Privacy Act.
If the third-party provider will use or disclose the information for its own purposes, as well as performing services for you, then both the third-party provider and your organisation will be deemed to “hold” that information for the purposes of the Privacy Act. That means you will both be responsible for the information in various ways depending on how it is being stored or used. Sharing personal information with that third-party provider could also be a “disclosure” and you will need to make sure that sharing the information is allowed under IPP11. IPP12 may also be relevant if the third-party provider is not based in New Zealand.
In addition, both your organisation and the third-party provider may be accountable if there is a privacy breach. This means that your organisation and the third-party provider need to have a plan to outline who will notify OPC and individuals affected in case there is a breach. We have guidance on who should notify OPC and affected individuals.
Example of a section 11 situation: Wonder Bottling Ltd uses third-party Big Data Analytics
Wonder Bottling Ltd wants to use the third-party Big Data Analytics Ltd to run Wonder Bottling’s website. Big Data Analytics will store all website data, including personal information provided by customers to Wonder Bottling via web forms. It will also process the information stored and provided to the website to provide website analytics to Wonder Bottling Ltd.
Big Data Analytics is not using Wonder Bottling Ltd’s information for another purpose or service, such as using Wonder Bottling Ltd’s data insights to provide a service to another organisation. It is solely storing and processing information for Wonder Bottling Ltd. Under section 11, this means that Wonder Bottling Ltd is responsible for anything that happens to that information while it is being stored or processed by Big Data Analytics.
For instance, if Big Data Analytics is the subject of a notifiable privacy breach in relation to the personal information transmitted by Wonder Bottling, Wonder Bottling would be responsible for notifying the Office of the Privacy Commissioner (OPC) and affected individuals. In their agreement, Big Data Analytics should be required to inform Wonder Bottling about any breaches of that information so that Wonder Bottling can fulfil this requirement.
However, if Big Data Analytics were to change how it operates and start using that information for another purpose, Big Data Analytics would have its own obligations under the Privacy Act, such as responsibilities to make sure the information is accurate and fit for purpose under IPP8, and to use the information in line with IPP10.
Protecting personal information once you’ve chosen a third-party provider
Since your organisation is legally responsible for anything that happens to the personal information that a third-party provider stores or processes for you (whether or not that third-party is also responsible), you should make sure that you have a robust agreement in place with them that requires them to keep the information safe and gives you a remedy when things go wrong.
What should be in an agreement with a third-party provider?
Security measures
An organisation needs to do everything within its power to prevent unauthorised use or disclosure of personal information. This means that your organisation needs to get assurances that the third-party provider has the appropriate security measures in place to protect any information it stores or processes on your behalf. The more sensitive the information is, the stronger those assurances may need to be.
Our guidance on security and access controls provides examples of the types of security measures the third-party provider should take to protect the personal information it stores. Your organisation may wish to seek regular reporting from the third-party provider on the effectiveness of the measures.
Individuals’ right to access and correct the information your organisation holds about them
The Privacy Act requires you to give people access to their personal information if they ask you to, and correct that information if it is wrong. There are also strict statutory timeframes for responding to requests. Those timeframes don’t change when the information is stored by a third-party rather than by you. You need to ensure that your agreement with the third-party provider includes provisions that make sure you can locate and retrieve information quickly, so you can meet your obligations.
The reporting of notifiable privacy breaches also needs to be factored into your agreement with a third-party provider, including how it will notify you of any breaches it has, and whether it will notify you of all breaches or only ones that it considers are notifiable. We strongly recommend that the contract requires the third-party provider to notify you of all breaches that affect the personal information it is storing or processing on your behalf, so that you can then decide what to do.
Your organisation will be responsible under the Privacy Act for reporting notifiable privacy breaches to the Office of the Privacy Commissioner so you need to be satisfied that the third-party provider will promptly notify you of breaches. The Office of the Privacy Commissioner generally expects to be told about notifiable breaches within 72 hours of the breach becoming known. That period starts when the third-party provider knows about the breach, not when they tell you, so it is important to make sure that you are told as soon as possible.
Your agreement should make sure there are contractual obligations on the third-party provider to comply with all applicable privacy laws.
Disposal of personal information during and after the agreement
Organisations must not keep personal information for longer than they need. It’s important that your agreement outlines how long the third-party provider will store the personal information on your behalf. In short, the third-party provider should only retain the information for as long as you want it to and are permitted to yourself. Ideally, you should be able to delete the information yourself as retention periods are reached or your circumstances change.
The agreement should also outline what will happen to the information at the end of the agreement. Will it be transferred back to you? How will it be disposed of? Can the third-party provider give you assurances that the information has been permanently deleted (including from backups)? Poupou Matatapu has more guidance on retention and disposal in the Know your Personal Information Pou.
Assurance that the third-party provider will only use the personal information for delivering the services
Your agreement should include an assurance that the third-party provider will only use the personal information it stores or processes on your behalf to deliver the services you have requested, as outlined in the agreement. Remember, that if the third-party provider will be using or disclosing the information for its own purposes, the third-party will have its own obligations under the Privacy Act.
Checklist for what should be in your agreement with a third-party service provider:
Appropriate security measures.
Facilitation of access and correction requests.
Process and time frame for notifying you of privacy breaches, especially notifiable breaches.
Compliance with relevant privacy laws.
The third-party’s use of the information you provide.
Use a Privacy Impact Assessment to assess and record the privacy risks associated with using a particular third-party provider. We have a PIA toolkit available to help.
If you’re using a third-party provider based in another country, consider your practical ability to control your personal information and ensure it is being handled in line with the New Zealand Privacy Act.
Consult with stakeholders or affected communities if the personal information is particularly sensitive, or where there are Māori data sovereignty implications.
HANA-RAWHITI MAIPI-CLARKE (Te Pāti Māori—Hauraki-Waikato): I seek leave to move a motion without notice and without debate that this House commemorates the 30-year anniversary of the Waikato-Tainui raupatu settlement signed at Tūrangawaewae Marae in May 1995.
SPEAKER: Leave is sought for that particular course of action. Is there any objection? There appears to—
Rt Hon WINSTON PETERS (Minister of Foreign Affairs): Yes. Point of order, Mr Speaker. If we look at the number of settlements there have been, then we’ll be doing this every day for about one-third of the year’s sittings. So it was not against the idea—this was the first settlement we ever had—but it’s the inappropriate repetitiveness of it all.
SPEAKER: Though that is true, it was also the first settlement we had. None the less, leave is denied.
LEMAUGA LYDIA SOSENE (Labour—Māngere): Tatou ifo ma tatalo. Le Atua Silisili ese e, matou te sulaina lau Afio mo fa’amanuiaga ma tofi ua e fa’au’uina ai i matou. E lafoa’i ni o matou lagona ma manatua ta’ito’atasi i le amana’iaina o le Masiofo o Peretania. Matou te tatalo ina ia tonu ma fa’amaoni fuafuaga ma fa’ai’uga uma i totonu o lenei Maota Fono. Ia talosia ta’ita’i o lenei Mālō ina ia maua le tōfā mamao, le fa’apalepale ma le agamalū, auā le manuia ma le filemū o Niu Sila. O le matou tatalo lea, e ala atu i le suafa pele o Iesu Keriso. Amene.
SPEAKER: Members, on 31 May this year, the Rt Hon Jim Bolger ONZ celebrated his 90th birthday. Jim Bolger was a member of this House from 1972 to 1998. He served as Leader of the Opposition and was Prime Minister for seven years, before his retirement from this House. Post-Parliament, he served as New Zealand’s Ambassador to the United States and, after that, was chair of New Zealand Post. He retains a keen interest in proceedings in this House and the betterment of New Zealand. I’m sure members will want to stand and join with me in expressing our birthday wishes both to the Rt Hon Jim Bolger and Mrs Joan Bolger, who has been such a support to him.
Prime Minister Christopher Luxon has congratulated the 2025 recipients of King’s Birthday Honours.
“Every person on this list has made New Zealand a better place.
“Locally, regionally, nationally, and internationally they are the proof that individual actions build a strong and thriving country.
“I am inordinately proud that twice every year, we can easily find dozens of outstanding citizens to honour this way, and I would like to thank all of the New Zealanders on this list for their service and achievements.
“To our new Dames and Knights, carry your Honour with the pride with which it was given,” Mr Luxon says.
Appointed as Dames Companion of the New Zealand Order of Merit are Ranjna Patel, Emeritus Distinguished Professor Alison Stewart, and Catriona Williams.
“Dame Ranjna Patel has made a lasting impact across New Zealand in her service to ethnic communities, health and family violence prevention. She founded Mana for Mums for young Māori and Pacific women in South Auckland, co-founded a multi-cultural community centre, and co-founded Tāmaki Health, which has grown to become New Zealand’s largest privately owned primary healthcare group. In doing so, Dame Ranjna has helped hundreds of thousands of New Zealanders,” says Mr Luxon.
“Dame Alison Stewart is an internationally renowned plant scientist with a 40-year career focused on sustainable plant protection, soil biology and plant biotechnology. She reinforces New Zealand’s stellar reputation in science and is an example of how our science community will continue to lead the world,” Mr Luxon says.
“Dame Catriona Williams’ legacy in spinal cord injury goes back more than 20 years. This remarkable woman has been the founder and driving force behind the CatWalk Spinal Cord Injury Trust since its establishment in 2005. She has inspired countless people by her example of courage and determination in the face of adversity. Dame Catriona dedicates her time to engage with people who have experienced a spinal cord injury and are new to life in a wheelchair,” says Mr Luxon.
This year’s Knights Companion are The Honourable Mark Cooper, Brendan Lindsay, and Ewan Smith.
“Sir Mark Cooper’s service to the judiciary is distinguished and longstanding. He became President of the Court of Appeal after being a Court of Appeal Judge from 2014 and a High Court Judge from 2004. Sir Mark was Chairperson of the Royal Commission of Inquiry into Building Failure caused by the Canterbury Earthquakes and his detailed findings and recommendations avoided delay to the Canterbury rebuild and provided a sense of resolution to the community at a time it was critical,” Mr Luxon says.
“Businessman and philanthropist Sir Brendan Lindsay built a global brand producing sustainable and recyclable storage products stamped ‘Made in New Zealand’. Sistema was sold to an American firm in 2016, with the buyer committing in writing to keep production in New Zealand for 20 years. That business acumen has created a philanthropic legacy that has helped countless charities including Pet Refuge, Starship National Air Ambulance Service, New Zealand Riding for the Disabled and Assistance Dogs New Zealand Trust,” Mr Luxon says.
“Sir Ewan Smith is legendary in the Cook Islands. The founder of Air Rarotonga, he has grown the business to become the largest private sector employer in the Cook Islands. However, it is his passion and loyalty to his people that distinguishes him further. During the COVID-19 pandemic, he ensured no Air Rarotonga employee was made redundant, and the airline maintained essential cargo and medevac services throughout the Cooks. Everyone including himself was placed on a minimum wage and he provided mentorship, counselling and budget advice to staff. Sir Ewan exemplifies what it is to be a good employer and an outstanding citizen.
“I would like to congratulate all 188 recipients of this year’s King’s Birthday Honours. We are proud of you, and we celebrate the example you set for others,” Mr Luxon says.
The Minister for Workplace Relations and Safety’s announcement today on gutting WorkSafe’s enforcement capability signals a return to a failed approach, that will weaken our health and safety system, said the New Zealand Council of Trade Unions Te Kauae Kaimahi.
“A soft approach to poor health and safety was a critical failing that led to the Pike River mine disaster, one of the worst health and safety failings in New Zealand history,” said NZCTU President Richard Wagstaff.
“Brooke van Velden continues to systematically gut WorkSafe to help protect businesses from enforcement of breaches of the law, rather than protecting the workers who suffer huge rates of injury and fatality as a result of work.
“WorkSafe was established in the wake of the Pike River mine disaster. It was clear that we needed a well-resourced, effective, and strong regulator, that was prepared to prosecute where necessary, as this was clearly lacking.
“Every week a worker is killed on the job on average in New Zealand, and 17 more are killed from the impact of work-related illnesses and diseases. Every year there are over 30,000 injuries suffered that require more than a week away from work. Nothing in these announcements will have a positive effect on these numbers.
“In the past few years, WorkSafe has endured cuts to the tune of millions of dollars, resulting in fewer staff. Since it was established the WorkSafe inspectorate has reduced from 8 per 100 thousand employees to 6.5, amongst cuts to the wider WorkSafe staffing levels.
“The Minister’s decision to gut WorkSafe is a reflection of a government that is prioritising profits over people,” said Wagstaff.
