The ICO has recently published new guidance for organisations on the processing of biometric data. Given the unique nature of biometric data and the risks that can arise if incorrectly used or processed, compliance with data protection law is of paramount importance. The guidance was published on the same day that several community leisure trusts were ordered by the ICO to stop using facial recognition technology and fingerprint scanning to monitor employee attendance at work, finding there were less intrusive means available to achieve the same purpose (e.g. ID cards).
The latest enforcement action serves as a timely reminder of the importance of ensuring data protection compliance is considered at the outset when thinking of introducing any new system that processes personal data.
Biometric data – what is it?
The UK GDPR defines biometric data as:
"personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm someone's unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data".
The ICO's guidance sets out three conditions that need to be met in order for data to be classed as biometric data:
- The data relates to a person's physical, physiological or behavioural characteristics (e.g. a person's face)
- Specific technologies have been used to process the data (e.g. facial recognition software)
- The biometric data can uniquely identify (or recognise) the person it relates to.
Who does the guidance apply to?
The guidance is aimed at organisations who are using, or are proposing to use biometric recognition systems. It will also apply to other controllers, processors and sub-processors who are involved in the operation of any such biometric recognition system. A link to the ICO's guidance can be accessed here.
What is a biometric recognition system?
Although "biometric recognition" isn't defined in data protection law, the International Standards Organisation's definition refers to the automated recognition of people based on their biological and behavioural characteristics. The ICO explains it as using biometric data to uniquely identify someone.
If you are using a biometric recognition system, you will be processing special category data. This means it is afforded extra protection under data protection laws.
How do you comply with data protection laws when using biometric data?
John Edwards, the UK Information Commissioner has stated that:
"Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can't reset someone's face or fingerprint like you can reset a password".
If you are using, or thinking of using biometric data you must take several steps to ensure that you protect that data and comply with your data protection obligations – failure to do so poses significant risks to individuals and your organisation. The ICO's guidance identifies steps that you must take, including:
- Adopting a data protection by design approach: compliance with personal data obligations should always be front of mind given the potential severity of the risks to data subjects' rights and freedoms. How will you minimise the data that is being processed? Is it necessary to use biometric data? What technical and organisational measures will you take to provide additional safeguards? You must appropriately encrypt any biometric data that you use – has this been considered? How can you ensure you can comply with any data subject rights requests – will it be impractical or technically problematic to provide a copy of someone's data, for example? How do you ensure that the biometric data will be stored securely? The responses to these questions (and others) should be considered and addressed before commencing any processing of biometric data.
- Completing a data protection impact assessment (DPIA). The ICO's guidance provides that a DPIA must be undertaken before using biometric recognition systems. The DPIA will assist you in identifying and minimising the data protection risks inherent in processing biometric data and will help in considering and addressing some of the questions raised above. You need to keep the DPIA under review and update it throughout the lifecycle of the system.
- As part of the DPIA, assess the impact that the use of the system will have on those whose information will be processed. In some cases, you may also need to consider the impact on wider society (e.g. if you were using biometric data on a large scale in public spaces).
- Ensure that you have a written contract in place with any processors that includes the mandatory Article 28 UK GDPR processor clauses. You will also need to check, amongst other things, whether the processor intends to use any sub-processors and if so, that the processor has flowed down the same contractual obligations to those sub-processors.
Other points that you need to deal with include:
- Understanding your data flows – are you a controller of the biometric data? Are there other controllers involved? Are you using any processors to process the biometric data. If so, have you conducted thorough due diligence on your processor(s) and documented why the processor(s) has been selected?
- Identifying the lawful basis for the processing: you will need to identify the appropriate lawful basis under Article 6 UK GDPR and a special category processing condition under Article 9 UK GDPR. Whilst consent may sometimes be the most appropriate, it will not always be. For example, can you ensure that a data subject can retract their consent at any time without suffering any detriment, such as no longer being able to access a service? Is the individual fully informed as to what they are consenting to?
- Ensuring the outcomes from the system are sufficiently accurate, fair and non-discriminatory. Whilst the ICO acknowledges that errors can never be entirely eliminated from such systems, you must be able to understand the possible impact that any inaccuracies may have. You will need to put in place procedures to diagnose issues and errors, and highlighting biases in the system. As above, implementing a data protecting by design approach and conducting a thorough DPIA at the outset can assist you in identifying and mitigating some of these potential issues.
- How you provide clear and transparent information to individuals to explain the use of the biometric recognition system. Can you easily explain the potential impacts of any decisions that the system makes? Are you able to explain what other options are available if an individual wishes not to use the biometric recognition system?
- Are you using the biometric recognition system to make automated decisions about individuals? People have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects – will the biometric recognition system deny someone access to a service, for example? Is there any human involvement in the decision?
The use of biometric recognition systems can be transformative but are not without risk – the ICO has various powers available to it, including reprimands, fines and ordering that you cease processing personal data. It is therefore vital to ensure that data protection compliance is a key consideration from the outset.
Our expert team of data protection lawyers are on hand to assist you with all of your compliance obligations if you are considering using a biometric recognition system.
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.