The Information Commissioner's Office (ICO) has published draft guidance relating to biometric data and biometric technologies which is currently open for consultation. This guidance is the first of two phases, the latter will focus on biometric classification and data protection and will be the subject of a call for evidence early next year.
What does the draft guidance cover?
The draft guidance is intended for use by organisations using, or vendors of, biometric recognition systems. It explains how data protection law applies to the use of these systems, along with recommendations for good practice.
To assist those organisations, the guidance specifically covers what biometric data is, when it is considered special category data, and its use in biometric recognition systems.
What biometric data is
The guidance makes clear that biometric data will be considered "personal data" where it can uniquely identify the person it relates to with Article 4(14) UK GDPR defining biometric data as:
“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.”
Certain biometric data will fall within the definition of 'special category data' if it is processed "for the purpose of uniquely identifying a natural person."
This is slightly different from the definition of biometric data, meaning that all biometric data is not automatically special category data. As the ICO states, "it’s your purpose for using the biometric data that matters," (i.e. do you intend to use it in order to uniquely identifying someone).
Data protection requirements when using biometric data
The draft guidance considers the use of "biometric recognition", noted as an industry term, rather than a definition under data protection law. Biometric recognition uses personal data, biometric data and special category biometric data in order to complete identification or verification processes.
Organisations must use a data protection by design approach when using biometric data, and due to the high risk nature of special category biometric data, must complete a data protection impact assessment (DPIA) when it is processed.
The guidance suggests that explicit consent is likely to be the valid condition for processing special category biometric data. Organisations must offer a suitable alternative to those data subjects who choose not to provide consent. The example provided in the guidance is the use of access in a gym, which requires facial recognition technology. As special category data, the gym must obtain explicit consent from their customers, or provide an alternative. In this instance, the use of a unique PIN to obtain access is proposed.
What responses is ICO seeking on the draft guidance?
The ICO is seeking clarification from interested parties that the guidance clearly sets out:
- the definition of biometric data within data protection law
- the different tests for identifiability and unique identifiability
- the legal status of biometric data when used for biometric recognition purposes
- the potential benefits and harms of biometric recognition solutions
- a clear explanation of all data protection obligations when using biometric data.
Our view and responding to the consultation
Guidance on the use of biometric data is long overdue and should be welcomed. However, in our view, the current draft fails to address some of the most challenging issues, particularly in relation to the relevant condition for processing special category data. In any instance of the use of such technology outside of a one on one direct engagement (as in the "gym" example currently provided), consent is not a practical option. The draft guidance fails to consider any of the more challenging issues that arise, particularly in relation to the use of such data for the purposes of crime prevention and detection.
Many businesses, particularly in the real estate sector, are considering the use of biometric data. Technology utilising this data can have a role in protecting staff and the general public on premises, preventing crime and assisting the police. Of course, it is also true that the use of such technology can be very high risk and there are many vocal groups who advance relevant concerns. For example, earlier this year a group of parliamentarians openly signed a letter which was coordinated and co-signed by the privacy groups Big Brother Watch, Liberty and Privacy International describing such technology as "invasive and discriminatory" and urged the end of the use of facial recognition across the country.
In order for the ICO to consider a balanced approach within its guidance, it is important for them to receive views from not only privacy lobby groups but also business and individuals in order to understand the impact practically and economically in relation to all parties involved. Companies who use or want to use biometric data would be well advised to put their opinions and experiences to the ICO in this consultation period.
In the meantime, before the ICO guidance is finalised, if business are starting to process biometric data, a full DPIA should be carried out and all appropriate safeguards put in place.
The consultation runs until 20 October 2023. You can respond to the consultation here.