In August 2023, the UK's data protection regulator, the ICO, published draft biometric data guidance (guidance) for consultation. The consultation closed on 20 October 2023.The second half of the guidance which will focus on biometric classification and data protection will be subject to a call for evidence early in 2024.
The guidance explains how data protection law applies when using biometric data in biometric recognition systems. It sets out the law and makes good practice recommendations, focusing particularly on what constitutes biometric data, when that is considered special category data, how it is used in biometric recognition systems, and the resulting data protection compliance requirements. The use of biometrics in law enforcement is not covered although the ICO makes the point that some of the principles outlined in the guidance will be relevant.
What is biometric data?
Article 14(4) GDPR defines biometric data as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data".
The guidance analyses the three required elements:
Relates to physical, physiological or behavioural characteristics
Essentially characteristics which are unique – either biological (like iris, voice, fingerprints), or behavioural (eg keystroke analysis, signature, gaze analysis).
Specific technical processing
Specific technical processing describes a discrete processing operation or set of operations which generate biometric data. As the guidance explains, this means a digital photo is not inherently biometric data. It is only when further technical steps are taken that it may become biometric data. This may include the enrolment phase where biometric details are captured to create a sample, and the extraction phase where the information in the sample is extracted.
Information allows or confirms someone's unique identification
This is about the properties of the information, not about the intention of the data controller. So where the data allows or confirms unique identification, whether or not that is the intention, it will qualify.
What is special category biometric data?
Not all biometric data is special category data. It will be special category data if it is used to uniquely identify someone, but even if that is not the purpose of the data, it may contain other types of special category data, for example information about someone's racial or ethnic origin, or information about their health, sex life or sexual orientation. While the definition of biometric data ties into the possibility of allowing unique identification, it is clear from Article 9(1), that biometric data is only special category data where is used "for the purpose of uniquely identifying a natural person". The introduction of a purpose requirement makes special category biometric data different from other types of special category data where the purpose behind the processing is not relevant to its classification as special data requiring additional protections.
Biometric recognition – what is it and what type of data is processed?
The guidance highlights that biometric recognition is an umbrella term used to refer to the use of biometric data for:
- Identification – a one-to-many (1:N) matching process – biometric data of one person is compared with that of many others to find a match, asking the question 'who is this person?'
- Verification – a one-to-one (1:1) matching process. A person provides biometric data that is compared against their stored biometric record, asking the question 'is this person who they claim to be?'
Having explained the various definitions, the guidance then explains that:
- if you use a biometric recognition system you are processing personal data
- if you use a biometric recognition system, you are also using biometric data
- if you use a biometric recognition system, you are using special category biometric data because your purpose is to uniquely identify someone.
So you want to use a biometric recognition system – what do you need to do?
The second part of the guidance deals with data protection compliance when using special category biometric data in biometric recognition systems. Clearly it will engage large swathes of data protection law including, under the UK GDPR:
- demonstrable compliance with the Article 5 Principles
- identifying a lawful basis
- identifying an Article 9 condition for processing special category data
- adopting data protection by design and default
- complying with information and transparency requirements.
The guidance focuses on some of the trickier areas of compliance in the context of special category biometric data including:
Do you need to do a DPIA?
The guidance reminds users that a Data Protection Impact Assessment will be needed prior to processing likely to result in a high-risk to people's rights and freedoms. It says that this is "highly likely" to be triggered when using a biometric recognition system because a DPIA must be carried out where there is a plan to process special category data on a large scale, or where systematic monitoring of a publicly accessible area on a large scale is planned; most uses of biometric recognition systems will involve one of these.
In addition, even if neither of these criteria apply, a DPIA must be done if the planned processing matches one of the scenarios on the ICO's list of high-risk processing operations, a few of which relate to biometric data processing for the purpose of uniquely identifying an individual. As part of the DPIA, you should consider whether privacy enhancing technologies might mitigate risk.
Is explicit consent needed when processing special category biometric data?
The guidance says "in most cases, explicit consent is likely to be the only valid condition for processing special category biometric data". It underlines the need for consent to be freely given which means it is unlikely to be valid where there is an imbalance of power, for example, in an employment relationship or where the processing is carried out by a public authority. In such cases, a suitable alternative must be offered to people who choose not to consent.
Are any other Article 9 conditions likely to be available?
There may be alternatives to consent in limited situations including:
- Prevention and detection of unlawful acts – this will apply if you need to use biometric data for crime prevention or detection purposes and asking for consent would mean you couldn't achieve those purposes. You must be able to show that using the special category data is necessary both for the prevention and detection of crime and for reasons of substantial public interest. You should demonstrate you are using the data in a targeted and proportionate way to deliver the specific purposes set out in the condition and that you cannot achieve them in a less intrusive way, and you must have an appropriate policy document in place at the time the processing starts.
- Research – you must be able to show that using the data is necessary for the research purpose and that your use is necessary and proportionate.
Automated decision making
The guidance reminds users of biometric recognition systems that there are restrictions on using personal data to make solely automated decisions about someone which have legal or similarly significant effects. If there is a risk of your system doing that, you must put in place meaningful human review.
Other issues
The guidance warns that there are several risks associated with biometric recognition systems including potential inaccuracy, discrimination, and data breaches. These issues need to be understood and risks mitigated, including by selecting high quality products and applying appropriate security measures.
What does this mean for you?
The guidance is fairly high level and links out to more detailed guidance about the areas of data protection law it covers. If you have a good knowledge of UK data protection law, nothing in the guidance is likely to come as much of a surprise. The practical examples used relate to fairly simple employer/employee situations, rather than more complex uses of biometric recognition systems where greater nuance is required.