Biometric data allows a person to be identified by their individual biological characteristics, such as face, fingerprint or voice recognition. Its use is prevalent in society today and is adopted by public and private companies.
But the processing of this uniquely personal data requires clear guidance and regulation to ensure individual data is protected.
The Information Commissioner’s Office (ICO), the UK’s independent body whose remit is to uphold information rights, has published draft guidance on biometric data for public consultation. This guidance is designed to explain how biometric recognition systems should be lawfully used, and is aimed at organisations, vendors and data controllers.
The guidance has four key categories:
- What biometric data is
- When it is considered special category data
- Its use in biometric recognition systems; and
- The data protection requirements users need to comply with.
What is biometric data?
Biometric data is defined by the General Data Protection Regulation (GDPR) as personal data “resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.”
The draft guidance explains personal data will only be considered biometric data if:
- It relates to a person’s behaviour, appearance or characteristics (for example voice or fingerprints);
- Has been extracted using technology; and
- Uniquely recognises or identifies a person.
- Biometric data is also considered ‘special category biometric data’ whenever it is processed to uniquely identify a natural person.
What is a biometric recognition system?
The term ‘biometric recognition’ refers to biometric data used for identification and verification purposes. If you use a biometric recognition system (such as fingerprint scanning software, facial or voice recognition software or iris scanning software), you are using special category biometric data. For example: A gym uses an electronic fingerprint scanning system for its members to gain access through entrance turnstiles. This process involves processing special category biometric data, through the use of a biometric recognition system, to uniquely identify and verify a member and grant them entry to the gym.
Biometric data and the law
Special category biometric data may be processed only with a lawful basis. The draft guidance states that, in most cases, “explicit consent is likely to be the only valid condition for processing special category biometric data”.
Organisations will need to consider whether consent is appropriate in situations where there is an imbalance of bargaining power between themselves and the individual. For instance, in the example above, the fingerprint scanner may be the only means of accessing the gym and its facilities, therefore the user may feel they have no choice but to agree to having their fingerprint being used for this purpose. In this situation, it cannot be considered the user is freely giving their consent.
In practice, organisations must offer a suitable and no less favourable alternative to users who choose not to consent, ensuring they do not feel under pressure to grant their consent. In the example above, the gym could give its users the option to enter a unique PIN code to access the facilities if they don’t want their biometric data to be processed.
Organisations must also complete a Data Protection Impact Assessment (DPIA) for any processing likely to result in a high risk to people’s rights and freedoms. The draft guidance clarifies that using any biometric recognition system is likely to trigger this requirement. The ICO provides clear and informative guidance on how the risk to people’s rights and freedoms may be assessed.
Organisations may be able to identify, and rely, on an alternative Article 9 condition, if explicit consent isn’t appropriate in the circumstances. Article 9 permits you to process special category data if: “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent” (ICO).
The ICO consultation period runs until 20 October 2023 and marks the first phase of the draft guidance. The second phase (“biometric classification and data protection”) will follow thereafter and will include a call for evidence in early 2024.