The UK Information Commissioner’s Office (the ICO) recently began a public consultation on new guidance it has produced on the use of biometric data. This guidance is for organisations that use or are considering using biometric recognition systems. It is also for vendors of these systems. It is for both controllers and processors. The term “biometric recognition” refers to biometric data used for identification and verification.
Biometric data is personal data and in some instances can also be considered special category data, so data protection law rules must be followed when organisations use it. Our highly experienced data protection solicitors can provide advice on this or any UK GDPR compliance issues.
You can find the draft guidance here.
Key points from the ICO’s guidance
The ICO’s guidance shares information on the key legal rules for organisations to follow when using biometric systems. The key issues that it covers are as follows:
- what is biometric data;
- when it is considered special category data;
- its use in biometric recognition systems; and
- the data protection requirements you need to comply with.
What is biometric data?
The ICO notes the following definition of ‘biometric data’ under that Article 4(14) of the UK GDPR:
‘Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.’
The draft guidance notes that personal data is only biometric data if it:
- relates to someone’s behaviour, appearance or observable characteristics (e.g. fingerprints, face or voice);
- has been extracted or analysed using technology (e.g. an audio recording analysis); and
- can uniquely identify the person it relates to.
Common examples of biometric data include:
- facial recognition;
- voice recognition; and
- iris scanning.
Biometric data vs special category data
The ICO’s guidance notes that biometric data becomes ‘special category’ data if it used to uniquely identify (recognise) someone. This means that not all biometric data is special category biometric data, this criteria is only met if it the purpose of processing is to uniquely identify someone.
Where biometric data is deemed as ‘special category’ data, various additional rules apply under the UK GDPR because this type of personal data is perceived as more sensitive. For example, organisations will to have need a ‘valid condition’ for processing under Article 9 of the UK GDPR, as well as a ‘lawful basis’ for processing under Article 6 of the UK GDPR.
When processing biometric data without seeking to uniquely identify a living individual (even though the information is capable of being used in this way) the information will not be special category data but is still likely to constitute “personal data” and so an Article 6 lawful basis must be satisfied. The draft guidance gives the example of a company recording calls made by its employees. The employer may be able to recognise individual staff members from the recordings but the example indicates that a digital voice recording would not be biometric data because it has not been extracted or further analysed using technology (it also follows that it would not be special category biometric data).
However, even if this is not your purpose, the biometric data you process may still include other types of special category data. For example, biometric data may reveal information about someone's racial or ethnic origin or could include information about health, sex life or sexual orientation.
See further information in our article about special category personal data.
What is biometric recognition?
‘Biometric recognition’ means using biometric data in the process of identification and verification e.g. identifying someone in a group or verifying someone’s identity.
For example, this occurs where apps use iris recognition to allow customers to access their accounts, or access control verification. In these scenarios biometric recognition systems replace a password (something you know) or a swipe card (something you have) with biometric data (something you are).
Using biometric recognition systems has several advantages, for example the cost can be minimised because there is no need to issue new identity cards and they may arguably be more secure than using passwords (which can be forgotten or shared).
Key issues for organisations using biometric data
The rules around using biometric data are complex.
The use of biometric data and recognition systems are also increasingly prevalent in our technologically advancing society, so it is vital that relevant organisations review the ICO’s guidance.
Key tips for organisations using biometric data include:
- Understand what personal data you hold and whether you are processing ‘biometric data’ under the UK GDPR. Make sure you understand that any biometric data you process will bring you within the scope of the UK GDPR rules, which you’ll need to comply with.
- Understand whether you process biometric data as a data controller or a data processor. This will have an impact on your obligations under the UK GDPR.
- Consider whether your use of biometric data equates to processing ‘special category biometric data’. If so, you are likely to only be able to rely upon the grounds of ‘explicit consent’ to use such data (as the ICO’s guidance notes that, in most cases, explicit consent will likely be the only ground organisations are able to rely upon to process data in this way). Various stringent rules apply when relying upon explicit consent. If you are unsure about seeking explicit consent validly, you should seek legal advice, as this is high risk.
- Where biometric is being used by your organisation Privacy by design principles still apply and the need to carry out a Data Protection Impact Assessment (DPIA) will need to be carefully considered. A DPIA will be required where processing is high risk. Where your data processing uses biometric recognitions systems, you are highly likely to need a DPIA. You’ll also need to make sure you have strong data security practices and measures in place to safeguard biometric data as the security of biometric data must be thoroughly and appropriately considered by organisations processing it. Any biometric data used must be encrypted and regular testing of the security system should be undertaken to ensure that protection measures remain effective over time. See further information on impact assessments.
Next steps for organisations
We will await the outcome of the ICO’s consultation, which is due to stay open until 20 October 2023. After receiving feedback from the consultation process, the ICO will work to finalise its guidance on this topic. The ICO will also be releasing a second phase of guidance next year (titled “biometric classification and data protection”) with a call for evidence expected in early 2024.
In the meantime, if your organisation uses biometric technology, you should carefully review the ICO’s guidance and keep up to date with developments in this space.
Understanding the rules around the use of biometric data can be extremely complicated and there are several factors to consider in order to ensure that your processing of this data is lawful. Please contact our data protection solicitors if you would like advice on your organisation’s use of biometric data or any UK GDPR compliance issues.