The ICO has published the first phase of draft guidance on biometric data and biometric technologies for public consultation.
Why?
The ICO set out the reasoning for publishing this draft guidance on biometric data in an Impact Assessment (here). The ICO stated in the Impact Assessment that it anticipates the use of biometric recognition systems is likely to increase significantly in the next decade. These technologies are expected to be used in sectors such as banking and finance, retail, education, and entertainment . This has been driven by several factors, including:
- the availability of facial recognition as a cost-effective means of authentication;
- the ease of rapidly analysing biometric data due to advances in machine learning and AI.
- the increase in crime (both offline and online), which has driven up demand for biometrics in multi-factor authentication.
In a previous ICO Call for Evidence, feedback highlighted that the use of biometric technologies for unique identification can pose significant risks to individuals’ rights and freedoms, has the potential to cause harm (such as discrimination and loss of control over personal data), and presented a lack of clarity over the appropriate and lawful use of biometrics for recognition.
In addition, the Call for Evidence highlighted that clarification was required regarding the appropriate and lawful use of biometrics for recognition within existing guidance, including clarification regarding terminology and context specific data protection guidance.
To address these concerns, the ICO plans to publish guidance on how data protection law applies when biometric data is used in biometric recognition systems. The guidance is intended for organisations that use or are thinking about using biometric recognition technologies. The guidance will cover
- the definition of biometric data.
- what is considered biometric data.
- how this data is used in biometric recognition systems, and
- the data protection requirements that must be satisfied.
Key takeaways from the draft guidance:
- Although the definition of biometric data is set out in the UK GDPR, the ICO guidance goes further and refers to “biometric recognition”, which is the use of biometric data for “identification” and “verification”. The use of the term biometric recognition is intended to reflect terms and definitions used in industry standards as well as the outcomes of biometrics reports. Identification refers to a one to many matching process (i.e. “who is this person?”). Verification refers to a one to one matching process (i.e. “is this person who they claim to be?”). Both of these processes require biometric data to uniquely identify someone.
- All biometric data is not automatically special category personal data under the UK GDPR. This is because the purpose for which the biometric data is processed is important in determining whether it is special category personal data. In order for the processing of biometric data to be special category personal data, it must be processed for the purpose of “uniquely identifying a natural person”. The draft guidance clarifies that to uniquely identify someone using biometric data, this involves: (a) collecting personal data relating to someone’s characteristics and processing it in a certain way, such as creating a biometric template; and (b) comparing that data with other biometric data that you hold to identify a match.
- The ICO’s position is that explicit consent is likely to be the legal basis most organisations would need to rely on in practice to process special category biometric data for biometric recognition. While other legal bases may apply, a case by case analysis would be required. The draft guidance also covers other justifications such as research and the prevention and detection of unlawful acts.
- Before adopting a biometric recognition system, a data controller/processor must follow a data protection by design approach and undertake a Data Protection Impact Assessment (DPIA).
- In relation to security measures, the draft guidance expressly states that organisations “must also encrypt any biometric data that you use”, as well as conducting “regular testing and reviews of your security measures to ensure they remain effective”.
Next steps:
The first phase of the consultation on the guidance is open for public consultation until Friday 20 October 2023.
The ICO’s second phase of the consultation and guidance will address biometric classification and data protection, which will include a call for evidence early in 2024.