A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 4 September 2023
The Information Commissioner's Office (ICO) has published draft guidance relating to biometric data and biometric technologies which is currently open for consultation. This guidance is the first of two phases, the latter will focus on biometric classification and data protection and will be the subject of a call for evidence early next year.
What does the draft guidance cover?
The draft guidance is intended for use by organisations using, or vendors of, biometric recognition systems. It explains how data protection law applies to the use of these systems, along with recommendations for good practice.
To assist those organisations, the guidance specifically covers what biometric data is, when it is considered special category data, and its use in biometric recognition systems.
What biometric data is
The guidance makes clear that biometric data will be considered "personal data" where it can uniquely identify the person it relates to with Article 4(14) UK GDPR defining biometric data as:
“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.”
Certain biometric data will fall within the definition of 'special category data' if it is processed "for the purpose of uniquely identifying a natural person."
This is slightly different from the definition of biometric data, meaning that all biometric data is not automatically special category data. As the ICO states, "it’s your purpose for using the biometric data that matters," (i.e. do you intend to use it in order to uniquely identifying someone).
Data protection requirements when using biometric data
The draft guidance considers the use of "biometric recognition", noted as an industry term, rather than a definition under data protection law. Biometric recognition uses personal data, biometric data and special category biometric data in order to complete identification or verification processes.
Organisations must use a data protection by design approach when using biometric data, and due to the high risk nature of special category biometric data, must complete a data protection impact assessment (DPIA) when it is processed.
The guidance suggests that explicit consent is likely to be the valid condition for processing special category biometric data. Organisations must offer a suitable alternative to those data subjects who choose not to provide consent. The example provided in the guidance is the use of access in a gym, which requires facial recognition technology. As special category data, the gym must obtain explicit consent from their customers, or provide an alternative. In this instance, the use of a unique PIN to obtain access is proposed.
What responses is ICO seeking on the draft guidance?
The ICO is seeking clarification from interested parties that the guidance clearly sets out:
Our view and responding to the consultation
Guidance on the use of biometric data is long overdue and should be welcomed. However, in our view, the current draft fails to address some of the most challenging issues, particularly in relation to the relevant condition for processing special category data. In any instance of the use of such technology outside of a one on one direct engagement (as in the "gym" example currently provided), consent is not a practical option. The draft guidance fails to consider any of the more challenging issues that arise, particularly in relation to the use of such data for the purposes of crime prevention and detection.
Many businesses, particularly in the real estate sector, are considering the use of biometric data. Technology utilising this data can have a role in protecting staff and the general public on premises, preventing crime and assisting the police. Of course, it is also true that the use of such technology can be very high risk and there are many vocal groups who advance relevant concerns. For example, earlier this year a group of parliamentarians openly signed a letter which was coordinated and co-signed by the privacy groups Big Brother Watch, Liberty and Privacy International describing such technology as "invasive and discriminatory" and urged the end of the use of facial recognition across the country.
In order for the ICO to consider a balanced approach within its guidance, it is important for them to receive views from not only privacy lobby groups but also business and individuals in order to understand the impact practically and economically in relation to all parties involved. Companies who use or want to use biometric data would be well advised to put their opinions and experiences to the ICO in this consultation period.
In the meantime, before the ICO guidance is finalised, if business are starting to process biometric data, a full DPIA should be carried out and all appropriate safeguards put in place.
The consultation runs until 20 October 2023. You can respond to the consultation here.
London - Walbrook
+44(0)20 7894 6744
+44(0)20 7894 6297
Jade Kowalski, Isabella McMeechan, Ellen Huison
Christopher Air, Stuart Hunt
Jade Kowalski, Stuart Hunt
Jade Kowalski, Mathew Rutter, Zoë Carpenter
Jade Kowalski, Alexander Dimitrov
Jade Kowalski, Astrid Hardy, Kelsey Farish
Christopher Air, Omar Kamal
Igor Pinedo Garcia, Aidan Healy, Stuart Hunt
Rowena McCormack, Aidan Healy, Charlotte Burke
Jade Kowalski, Omar Kamal
Jade Kowalski, Zoë Carpenter
Khurram Shamsee, Kate Galloway, Yassar Lodhi
Jade Kowalski, Florence Cathcart