Office of the Privacy Commissioner
PO Box 10094, Wellington 6140
Level 11, 215 Lambton Quay
Wellington, New Zealand
P +64 4 474 7590 F +64 4 474 7595
E [email address]
0800 803 909 Enquiries
privacy.org.nz
19 November 2025
Spencer Jones
By email only to: [FYI request #32554 email]
Tēnā koe
Official Information Act Request (Our Ref: OIA/0478)
We refer to your Official Information Act request received on 13 October 2025.
Summary of correspondence
On 13 October 2025 we emailed you asking for clarification on one aspect of your request.
You responded the same day with helpful clarification.
On 31 October 2025 we emailed you advising that, as we needed to consult with third
parties about some information relevant to your request, we needed to extend the time it
would take us to respond to your request. The extension was for an additional 20 working
days, or by 9 December 2025. We did not receive a response to this email.
Response to your request
Briefings, policy advice, or guidance regarding the MIND Act
You have asked for:
Any internal briefings, policy advice, or guidance generated by the Office of the Privacy
Commissioner (or interagency correspondence with the Ministry of Business, Innovation &
Employment, Ministry of Justice, Ministry of Health, or other relevant bodies) since 1 January
2024 regarding the MIND Act, including:
assessments of its implications for NZ privacy laws, biometric regulations, or neurotechnology
oversight (e.g., potential extensions of the Biometric Processing Privacy Code to neural data).
We have not writ en any internal briefings, policy advice, or guidance, or had any
interagency correspondence regarding the MIND Act. Accordingly, we cannot provide this
information as it does not exist. We rely on s 18(e) of the Of icial Information Act 1982.
Please note that the recently released Biometric Processing Privacy Code 2025 excludes
information about an individual’s brain activity and nervous system from the definition of
“biometric information”. As such, the Biometric Processing Privacy Code 2025 does not
apply to neural data collection.
The reason for the exclusion in the Biometric Processing Privacy Code 2025 can be found at
pages 17-18 of the discussion document created for the potential biometrics code of practice
(ht ps://www.privacy.org.nz/assets/New-order/Resources-/Publications/Guidance-
resources/Biometrics/Biometrics-November-2023/Biometrics-discussion-document.pdf):
OIA/0478/A1127706
2
Genetic information and neurodata are not proposed to be included in the scope of a biometrics
code, because regulating such information raises complex legal, ethical and cultural issues that
require separate consideration… The extraction of information from human tissue (sometimes
referred to as biological biometrics) is proposed to be excluded because it involves quite different
analytical techniques from other types of biometrics, and because it is likely to be covered by the
HIPC and other statutory and ethical frameworks.
Similar safeguards
You have asked for:
Discussions on adopting similar safeguards for neural data in NZ (e.g., consent requirements for
BCI data col ection, transparency in indirect data gathering under IPP3A, or prohibitions on
unauthorized access).
Other than the consideration of whether neurodata should apply to the Biometric Processing
Privacy Code 2025 (see above), we have not had any discussions on adopting similar policy
to that in the MIND Act for neural data in New Zealand. Accordingly, we cannot provide this
information as it does not exist. We rely on s 18(e) of the Of icial Information Act 1982.
Reports, investigations, or consultations regarding neural data collection
You have asked for:
Records of any reports, investigations, or consultations commissioned or undertaken by the Office
of the Privacy Commissioner aimed at investigating privacy risks, ethical standards, or
compliance requirements for neural data col ection via neurotech, including summaries, findings,
and any related public consultations (2015–2025).
We have not created any report, carried out any investigation, or commissioned any
consultation regarding neural data collection. Accordingly, we cannot provide this information
as it does not exist. We rely on s 18(e) of the Official Information Act 1982.
Advice papers or risk evaluations
You have asked for:
Any advice papers or risk evaluations on the privacy implications of integrating neural data
technologies with existing NZ infrastructure (e.g., smart meters, 5G networks), including
assessments of consumer privacy risks under the Privacy Act 2020 or comparative analyses to
international standards.
We have not writ en any advice papers or carried out risk evaluations on the privacy
implications of integrating neural data technologies with existing NZ infrastructure.
Accordingly, we cannot provide this information as it does not exist. We rely on s 18(e) of the
Of icial Information Act 1982.
International correspondence
You have asked for:
Copies of correspondence between the Office of the Privacy Commissioner and US counterparts
(e.g., FTC) or international bodies (e.g., OECD, Asia-Pacific Privacy Authorities Forum, Five Eyes
partners) relating to the MIND Act, global neural data governance, or emerging technologies like
AI and biometrics.
When asked for clarification on this aspect of your request, you advised:
…I am specifically requesting copies of correspondence between the Office of the Privacy
Commissioner and US counterparts (e.g., FTC) or international bodies (e.g., OECD, Asia-Pacific
OIA/0478/A1127706
3
Privacy Authorities Forum, Five Eyes partners) that relates to neural data. This includes
discussions on the MIND Act, global neural data governance, or the intersection of emerging
technologies like AI and biometrics with neural data privacy.
For completeness, this clarification aligns with the overall focus of the request on neural data
privacy implications, as outlined in the original submission. I do not seek correspondence on
emerging technologies in isolation unless it pertains to neural data aspects (e.g., neurotechnology
integration with AI or biometrics).
Please find the following attached to this email:
• International Association of Privacy Professionals (IAPP) newsletters, titled:
o ‘A view from DC: What does the government shutdown mean for privacy and
cybersecurity?.pdf’
o ‘Australian court fines company AUD5.8 mil ion for role in medical data
breach.pdf’
o ‘SEC investigates adtech company over data-collection practices.pdf’
• Neural technology presentation, titled ‘1-25 Annex B – Neuro Data EN_v06.pdf’. This
is a presentation delivered by Dr Luis Antonio de Salvador on the topic of neural
technology to the Asia Pacific Privacy Authorities Technology Working Group in
February 2025.
Before releasing the neural technology presentation, we consulted with Dr Luis. He wishes
to add that the attached presentation is now outdated. Analysis on this topic by the Spanish
Data Protection Authority has greatly evolved and the presentation does not match the
current opinions, framework, and policies of the Spanish Data Protection Authority regarding
neurotechnology.
We identified some email correspondence with international bodies that references neuro
technology. We have decided to withhold this information to comply with our obligation to
maintain secrecy under s 206 of the Privacy Act 2020. We rely on s 18(c)(i ) of the Official
Information Act 1982 and s 206 of the Privacy Act 2020.
However, while we cannot release the email correspondence, be advised that the
correspondence relates to information which is now publicly available at the following links:
• Global Privacy Assembly:
o
https:/ globalprivacyassembly.com/wp-content/uploads/2024/11/Resolution-
on-Neurotechnologies.pdf (2024 Resolution on principles regarding the
processing of personal information in neuroscience and neurotechnology)
o
https:/ globalprivacyassembly.com/wp-content/uploads/2025/11/Closed-
Session-Minutes-Jersey-46-GPA_31-Oct-to-01-Nov-2024-1.pdf (Minutes of
the Closed Session at the 46th Global Privacy Assembly – Jersey Island)
o
https:/ globalprivacyassembly.com/wp-content/uploads/2025/10/DEWG-
Annual-Report-2025.pdf (Digital Education Working Group Annual Report
July 2025)
o
https:/ www.unicef.org/innocenti/media/11616/file/UNICEF-Innocenti-Data-
Governance-Education-Technology-Summary-2025.pdf (Unicef Data
Governance for EdTech: Summary of Landscape Review and
Recommendation)
• German Federal Commissioner of Data Protection and Freedom of Information:
o
https:/ www.bfdi.bund.de/SharedDocs/Downloads/EN/Berlin-
Group/20250515-WP-Neurotechnologies.html?nn=355094 (Working Paper
on Emerging Neurotechnologies and data protection)
OIA/0478/A1127706
4
• New Zealand Office of the Privacy Commissioner:
o
https:/ mailchi.mp/0ec1a6a42997/privacy-news-february-12824038 (March
2025 Privacy News)
• Organisation for Economic Co-operation and Development:
o
https:/ www.oecd.org/en/topics/sub-issues/responsible-innovation.html
(Responsible innovation)
o
https:/ www.oecd.org/en/topics/sub-issues/emerging-technologies.html
(Emerging technologies)
o
https:/ www.oecd.org/content/dam/oecd/en/topics/policy-sub-
issues/emerging-technologies/neurotech-toolkit.pdf (Neurotechnology Toolkit)
o
https:/ legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0457
(Recommendation of the Council on Responsible Innovation in
Neurotechnology)
o
https:/ legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188
(Recommendation of the Council concerning Guidelines Governing the
Protection of Privacy and Transborder Flows of Personal Data)
o
https:/ legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0433
(Recommendation of the Council on Health Data Governance)
• United Kingdom Information Commissioner’s Office:
o
https:/ ico.org.uk/about-the-ico/research-reports-impact-and-
evaluation/research-and-reports/technology-and-innovation/tech-horizons-
and-ico-tech-futures/tech-horizons-report-2024/ (Tech Horizons report 2024)
Conclusion
Please note that if you are not satisfied with this response to your request, under section 28
of the Of icial Information Act 1982 you have the right to ask the Ombudsman to investigate
and review our decision on your request, however we would appreciate the opportunity to
discuss this with you first.
Nāku iti noa, nā
Liz MacPherson
Deputy Privacy Commissioner
Encls.
OIA/0478/A1127706
Document Outline
