In this post, we provide you with four key rules for collecting biometric data to ensure the collection is privacy-compliant. While extracted from the recent Guidance on Collection and Use of Biometric Data issued by the Hong Kong Privacy Commissioner and from a 2011 Guidance issued by the Canadian Privacy Commissioner, these rules are of global relevance.
1. Only collect the biometric data you really need
In line with the general collection limitation principle, the collection of biometric data must be:
1. For a lawful purpose related directly to the collecting organization’s functions and activities; and
2. Necessary and not excessive for achieving such purpose.
In other words, because of the sensitivity of biometric data, its collection requires a strong justification. If an intended (valid) purpose can be achieved by collecting less sensitive biometric data or other data, then only that data must be collected. Biometric systems should not be adopted because they are the most convenient or cost-effective option, they must only be implemented if they are necessary and there is no less privacy-invasive way of achieving an intended outcome.
2. Conduct privacy impact assessments prior to the collection
Privacy impact assessments should be conducted before biometric data is collected in order to determine whether the collection of biometric data is necessary and, if so, to what extent.
This is also the approach likely to be adopted under the forthcoming EU General Data Protection Regulation which appears to not classify biometric data as sensitive data but requires privacy impact assessments to be carried out in certain instances of processing of biometric data.
3. Provide notice. Offer choice. Obtain consent.
In line with the general notice and choice principles, prior to the collection of biometric data, the relevant individuals must be informed comprehensively about the impact of the intended collection and use of biometric data and they should be offered the choice of less privacy-intrusive alternatives. Their free and express consent must be obtained prior to the collection. The (in practice frequently used) covert collection of biometric data violates this rule.
4. Apply Risk Minimization Techniques
Where possible, risk minimization techniques should be applied, including that:
- biometric templates (which consist of summary information only) rather than raw data should be stored to minimize the amount of data stored;
- generally, verification biometric systems should be favoured over identification systems as they collect less biometric features;
- if possible, biometric information should be stored locally (such as on smart cards or security tokens) rather than in central databases as it gives individuals more control over their biometric information and reduces the risk of data loss or inappropriate cross-linking of data across systems.
While the Hong Kong and Canadian guidance documents are not rocket-science, in the absence of other guidance, they are helpful reference points for those looking to implement biometric systems in a privacy-compliant way.
Key Rules For Handling Biometric Data Post-Collection In A Privacy-Compliant Way
Having considered in detail the rules for collecting biometric data in our last post, in this post we will cover the key rules for handling biometric data post-collection.
1. Establish Strong Access And Use Controls
Given the sensitivity of biometric data, strong access controls should be put in place and access to biometric data should be allowed only on a need-to-know basis.
Further, the use of biometric data should be strictly controlled and limited to what is necessary. Biometric data should only be used for the purpose for which it was originally collected unless individuals have explicitly and freely consented to other uses. Unnecessary linkage between biometric databases with other systems or data bases should be omitted.
2. Delete Data When No Longer Required
Biometric data should be deleted as soon as it is no longer required for the permitted purposes. Let’s say, an employer collects biometric data of its employees for access controls. As soon as an employee ceases to work for an employer, any biometric data that has been collected in respect of that employee should be deleted.
An exception to the deletion requirement might apply where data is used for research or statistical purposes provided the biometric data is anonymised. However, it is difficult to anonymise biometric data so that it really does no longer allow the identification of the relevant individual. Hence, care must be taken when relying on this exception.
3. Ensure Data Accuracy
The basic privacy principle that data stored must be kept accurate and up-to-date also applies to biometric data and might be particularly important in that context.
For example, if biometric data is used to record attendance of employees, inaccuracies of the attendance records might lead to serious consequences for employees. Therefore, data controllers that use biometric recognition systems must ensure that false acceptance and rejection rates of those systems are within reasonable limits.
4. Secure Data
Data controllers must take all practicable steps to safeguard biometric data against misuse, loss, unauthorized access, modification or disclosure (as specified in applicable privacy legislation).
While the required security measures depend on the individual circumstances, examples include that biometric data should be encrypted while stored or transmitted and that access logs should be kept in relation to biometric data.
5. Devise Policies And Train Staff
Business should devise, and make available to staff and other concerned parties, clear guidance and policies setting out the rules for processing biometric data. Staff responsible for the collection and management of biometric data should be properly trained on those policies. Regular privacy compliance assessments and reviews should be conducted.
As biometric data usually constitutes personal data, and frequently sensitive data, the processing of biometric data will generally be subject to applicable privacy laws as are other types of personal/ sensitive data. Data controllers need to ensure compliance with those and there is no magic to it from a legal/ regulatory perspective.
From a best practice point of view, controllers should take privacy considerations into account from the start and throughout the whole lifecycle of any biometric initiative (“privacy by design”) and carry out privacy impact assessments. In some jurisdictions, the latter is mandatory in relation to biometric data.