If your organisation is processing biometric data under the UK GDPR, understanding its legal classification and how it intersects with biometric recognition systems is essential.
The Information Commissioner’s Office (ICO) has biometric data guidance to help you, as an organisation or a vendor, ensure compliance, particularly where biometric data could be classified as special category personal data. Given the high risks and complex obligations involved, particularly regarding lawful bases for processing and the use of biometric data for identification or verification, it is crucial that you seek legal advice early.
Our data protection solicitors can help you assess whether your use of biometric systems meets regulatory requirements, assist with Data Protection Impact Assessments, and advise on how to navigate the ICO’s expectations with confidence.
Contents:
Key takeaways from the ICO guidance
The ICO's biometric data guidance outlines several key legal and compliance points:
- What constitutes biometric data?
- When biometric data qualifies as special category data.
- How biometric recognition systems work.
- The main UK GDPR compliance requirements you must follow.
What is biometric data?
Under Article 4(14) of the UK GDPR, biometric data means:
"Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data."
For data to count as biometric data, it must:
- Relate to your physical, physiological, or behavioural traits (e.g. fingerprints, facial features, voice patterns).
- Be extracted or analysed using specific technology.
- Enable or confirm unique identification.
Examples include:
- Facial recognition.
- Voice recognition.
- Iris or retina scans.
- Fingerprint scanning.
Note: If the data doesn't meet all these conditions, even if it's based on a biometric source (such as a standard voice recording), it won't be considered biometric data under the UK GDPR.
Biometric data vs special category data
Biometric data becomes a special category of personal data under Article 9 of the UK GDPR when it is used to identify a person. This means your purpose and how you use the data are key.
For example:
- If you use facial recognition to verify someone's identity = special category data.
- If you record a conversation where a voice is captured but not analysed or used to identify anyone = not special category data (though still personal data).
If you're using biometric data to identify someone, you must have:
- A lawful basis under Article 6, and
- A condition under Article 9 (e.g. explicit consent).
What is biometric recognition?
Biometric recognition is when you use biometric data to identify or verify people. Identification is when you match biometric data to a group to find a specific person, while verification is when you confirm someone's identity against a claimed identity – for example, unlocking a phone with a fingerprint.
These systems are commonly used in apps, for workplace access, and in financial services. They often replace things you know (like passwords) or have (like ID cards) with something you are (your biometric data).
Lawful basis and conditions for processing
The ICO says biometric recognition typically involves high-risk processing. In most cases, you'll need to rely on explicit consent under Article 9(2)(a), as well as a lawful basis under Article 6 (like legitimate interests or consent).
Remember: explicit consent must be freely given, specific, informed, and unambiguous. It must be meaningful – if giving consent is required to get a job or service, it might not be valid.
Other grounds under Article 9 (like substantial public interest) may apply in rare situations.
Data protection by design and default and DPIAs
Because of the risks involved, the UK GDPR says you must carry out a Data Protection Impact Assessment (DPIA) for most uses of biometric recognition. Your DPIA should:
- Be completed before deploying any biometric system.
- Show why the processing is necessary and proportionate.
- Assess the risks to people’s rights and freedoms.
- Implement security measures such as encryption and access controls.
You're also required to follow the data protection by design and by default principle. That means:
- Collecting only the biometric data you truly need.
- Limiting access to authorised people.
- Reviewing and updating your security regularly.
- Keeping records to show your decisions and demonstrate accountability.
Transparency and accountability
You must be open about how you use biometric systems. This means providing clear privacy notices that explain your purposes and lawful bases for processing, as well as stating how long data will be retained. You also need to ensure individuals can exercise their rights, such as accessing their data, objecting to its use, or requesting its deletion.
What you should do next
As biometric technology becomes more common, it's essential to seek legal advice and manage risks carefully. The ICO's expectations are clear, but applying them to your situation and your business may be complex, especially where special category data, consent, or DPIAs are involved.
Our data protection solicitors can review how you're using biometric data, help you prepare your DPIA, advise you on lawful bases and consent, and support you in staying compliant as regulations evolve.
