Cordery

Legal.Compliance.

Client Alert – ICO Issues Draft Guidance On Biometrics and Data Protection

What’s this all about?

The use of biometric recognition systems is growing fast, notably in the banking, finance, education, entertainment, and retail sectors. Biometrics is all around us and getting cheaper to operate or purchase. The use of biometrics has also thrown up a number of data protection/privacy issues, including the potential to result in harms, such as discrimination and the loss of control of personal data, with consequent regulatory action and private litigation. The UK data protection regulator the Information Commissioner’s Office (“the ICO”) recently issued draft “Guidance on biometric data” (“the Guidance”), which this article looks at in brief.

What do data protection rules say about biometrics?

The key provisions about data protection and biometrics of EU GDPR and UK GDPR are as follows:

  • Article 4(14) defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”;
  • Article 9(1) prohibits the processing of biometric data for the purpose of uniquely identifying an individual, unless specific conditions are met (as set out under Article 9(2)) such as an individual’s explicit consent; and,
  • Article 35 mandates the use of Data Protection Impact Assessments (“DPIA”) in certain circumstances, and although biometrics is not specifically named there the processing of biometrics data will very likely fall under the circumstances under which a DPIA is to be undertaken; Recital 94 in fact specifically mentions that a DPIA must be undertaken concerning biometric data; and,

The UK’s Data Protection Act 2018 (“the DPA 2018”) also deals with biometric data, such as in of Part 2 of Schedule 1 of the DPA 2018 which addresses the substantial public interest conditions for processing special categories of personal data (see Section 16(2)(c) concerning biometric data).

Why the need for guidance?

The lack of clarity over terminology and context specific data protection guidance has driven the need for the introduction by the ICO of official guidance explaining how data protection law applies with regard to biometric data in biometric recognition systems.

What does the guidance say?

Edited highlights of the Guidance include the following:

  • “What is biometric data?

 “Personal data is only biometric data if it:

  • relates to someone’s behaviour, appearance, or observable characteristics (e.g. the way someone types, a person’s voice, fingerprints, or face);
  • has been extracted or further analysed using technology (e.g. an audio recording of someone talking is analysed with specific software to detect things like tone, pitch, accents and inflections); and,
  • can uniquely identify (recognise) the person it relates to”;

 

  • “What is special category biometric data?

 When you use biometric data for the purpose of uniquely identifying (recognizing) someone, it is special category biometric data”;

  •  “What is biometric recognition?

 […] the term “biometric recognition” [is used] to refer to biometric data used for identification and verification. […]

 Identification refers to a one-to-many (1:N) matching process. Biometric data of one person is compared with that of many other people to find a match. It asks the question “Who is this person?”.

Verification refers to a one-to-one (1:1) matching process. A person provides biometric data that is compared against their stored biometric record. It asks the question “Is this person who they claim to be?”.

Both of these processes require biometric data to uniquely identify someone”;

  •  “Do biometric recognition systems use personal data?

 Yes. If you use a biometric recognition system, then you are processing  personal data”;

  •  “Do biometric recognition systems use biometric data?

Yes. By default, if you use a biometric recognition system, you are also using biometric data.

This is because the personal data the system creates meets all three aspects of the definition of biometric data in data protection law, which are listed below.

1.The information is about someone’s physical, physiological or behavioural characteristics

“Physical and physiological” relate to someone’s biological characteristics.

These are unique to every person, which is why you can use them effectively for identification and verification. These characteristics can include a person’s facial features, fingerprints, iris, voice and even their ear shape.

Examples of physical or physiological biometric recognition techniques include:

  • facial recognition;
  • fingerprint verification;
  • iris scanning; and,
  • voice recognition.

“Behavioural” is about characteristics that relate to things like movements, gestures or motor skills. […]

Examples of behavioural biometric recognition techniques include:

  • keystroke analysis;
  • handwritten signature analysis;
  • gait analysis; and,
  • gaze analysis (eye tracking).

2. The information results from specific technical processing

The term “specific technical processing” describes a discrete processing operation, or set of processing operations, which generate biometric data.

[…]

Specific technical processing can refer to some of the key stages involved in biometric recognition systems. For example:

  • the “enrolment” phase, where biometric characteristics are captured, creating a biometric sample; and,
  • the “extraction” phase, where the information in the sample is extracted and transformed by an algorithm, creating a biometric template.

3. The information allows or confirms someone’s unique identification

This is about the properties of the information itself, not what you intend to use it for.

The wording “allow or confirm” means that where it is possible to identify someone, even if this is not your intention, this part of the definition will be met”;

  • “Do biometric recognition systems use special category biometric data?

 Yes. If you use a biometric recognition system, you are using special category biometric data. This is because the purpose of biometric recognition system is to uniquely identify someone using biometric data.

[…]

In order to uniquely identify someone using biometric data, your purpose involves:

  • collecting personal data relating to someone’s characteristics and processing it in a certain way (e.g. to create a biometric template); and,
  • comparing that data with other biometric data that you hold in order to identify a match.

If you intend to take these steps, then you are processing biometric data for the purpose of unique identification.

This means that you will be processing special category biometric data from the moment you collect the data as described in the first step, not from the point that you attempt any comparison for identification purposes.

This purpose test is met whenever you use a biometric recognition system, because your purpose for doing so will be either to establish:

  • who someone is (identification); or,
  • if someone is who they claim to be (verification).

Both of these involve comparing a biometric template against another (reference) template for the purpose of finding a match.

However, it is also important to remember that you are still processing special category biometric data, even if:

  • you do not find a match. You are still creating and comparing biometric templates for the purpose of unique identification; or,
  • your overall purpose does not require the unique identification of people.

If at any stage your use of biometric data requires you to uniquely identify someone, then you are processing special category data”;

  •  “Do we need to do a DPIA?

You must complete a DPIA for any processing likely to result in a high risk to people’s rights and freedoms. It is highly likely that you will trigger this requirement by using any biometric recognition system.

This is because data protection law says that you must do a DPIA if you plan to:

  • process special category data on a large scale; or,
  • undertake systematic monitoring of a publicly accessible area on a large scale.

Most uses of biometric recognition systems involve one of these criteria.

Even if your system won’t trigger these criteria, you must do a DPIA if your processing matches one of the scenarios on [the ICO’s] published list of high risk processing operations.

This includes several scenarios where biometric data is used for the purpose of uniquely identifying someone.

And, even if you don’t use special category biometric data, you may assess that your proposal to use biometric data is still likely to result in high risk, given the context and purpose”;

  • “Do we need explicit consent when we process special category biometric data?

 In most cases, explicit consent is likely to be the only valid condition for processing special category biometric data.

Where there is an imbalance of power between you and the person, you should carefully consider whether relying on explicit consent is appropriate.

This is because anyone who depends on your services, or fears adverse consequences if they refuse, may feel they have no choice but to agree. This means people may not freely give their consent. This is particularly an issue for public authorities and employers.

You must offer a suitable alternative to people who choose not to consent and ensure they do not feel under pressure to consent”;

  •  “What other conditions might apply for biometric recognition?

 […] Prevention and detection of unlawful acts

This condition applies if:

  • you need to use biometric data for crime prevention or detection purposes; and,
  • asking for people’s consent means you wouldn’t achieve those purposes.

You must be able to show that using special category biometric data is “necessary” both for the prevention and detection of crime and for reasons of substantial public interest.

To satisfy this condition, you should demonstrate you are using  biometric data in a targeted and proportionate way to deliver the specific purposes set out in the condition, and that you cannot achieve them in a less intrusive way.

You must also have an appropriate policy document in place at the time your processing starts”;

  •  “What if we don’t have consent and no other condition applies?

 If you cannot gain explicit consent, and no other condition is appropriate, then you will infringe data protection law if you process special category biometric data. This is because your processing is unlawful”;

  •  “What else do we need to consider?

 Using biometric recognition systems can raise several potential risks, including:

  • accuracy – where the system generates errors because it does not correctly identify people;
  • discrimination – where people or groups are treated unjustly on the ground of protected characteristics; and,
  • security – where unauthorized people can access the biometric data, or the system can be tricked (spoofed) into allowing access when it shouldn’t.

If you don’t address these risks, you could contravene data protection law and other equalities legislation. This may leave you exposed to further legal claims, as well as regulatory action”;

  •  “How do we deal with security risks?

 […]

You must apply appropriate security measures when you use biometric data. You should determine these by carrying out a risk analysis that considers:

  • the circumstances of your processing and the likely security threats you may face;
  • the damage or distress that may be caused if the biometric data is compromised; and,
  • what forms of attack your system might be vulnerable to.

You must also conduct regular testing and reviews of your security measures to ensure they remain effective.

You must also encrypt any biometric data that you use.”

Consultation

The draft biometric data guidance is the first phase of the guidance, which is subject to consultation, closing on 20 October 2023. The second phase of this guidance, which deals with biometric classification and data protection, will include a call for evidence, early next year 2024.

What are the takeaways?

Organizations interested in having their point of view heard should consider responding to the consultation.

By way of general biometrics and data protection/privacy compliance issues organizations processing biometrics data should consider doing the following:

  • Checking their policies and procedures to make sure that they address biometrics issues;
  • Undertaking a DPIA;
  • Ensuring that explicit consent has been obtained for use of biometrics, or an alternative legal basis if possible; and,
  • Training staff.

Bear in mind that the guidance is by no means exhaustive of all possible issues, and guidance is only guidance – only a court has the final say on what the law means.

Resources

We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

See our other articles that touch on biometrics and related issues including here: https://www.corderycompliance.com/ico-fines-dp/  and here: https://www.corderycompliance.com/clearview-to-close-oz-ops/.

The ICO draft “Guidance on biometric data” can be found here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/guidance-on-biometric-data/.

The “ICO consultation on the draft biometric data guidance” can be found here: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-the-draft-biometric-data-guidance/.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 347 2365
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.