Following a consultation last year, the Information Commissioner’s Office (ICO) has recently published new guidance on biometric recognition, which is the automated recognition of people based on their biological or behavioural characteristics (eg facial features, fingerprints, speech). The new guidance explains how data protection law applies when biometric recognition systems are used to recognise biometric data.
In summary, the guidance:
- Explains how biometric recognition systems work and why they may be used. This begins with ‘biometric capture’, which is the recording of information about a person’s physical, biological or behavioural characteristics (such as scanning their fingerprints, taking a digital image of their facial features, or recording them talking). This information is then converted into a unique ‘biometric feature’ (most often a string of numbers) which can be used by computers to uniquely identify a particular individual. Biometric algorithms within the biometric recognition system then use this biometric feature for biometric identification (who is this?) or biometric verification (is this person who they say they are?)
- Confirms that employers which use biometric recognition systems must comply with the data protection principles. They must adopt a data protection by design and default approach, considering data protection and privacy issues at the design stage and throughout the lifecycle of the system and ensuing that appropriate technical and organisational measures are put in place to implement the data protection principles effectively. As biometric recognition is likely to result in high risk to people’s rights and freedoms, a data protection impact assessment should be performed. The guidance discusses the appropriate lawful basis to process biometric data and the additional condition needed to process special category data. The employer must also follow the transparency, accuracy and security principles
- Explains how employers should respond to subject access requests relating to biometric data, recognising that there can be practical issues in providing a copy of a person’s biometric data because it is designed to be machine readable (rather than read by people) and may not be convertible into an alternative format more easily shared
The ICO also recently announced that it has taken enforcement action against a number of companies for their use of facial recognition technologies to monitor the attendance of employees in breach of data protection principles.
For further information, please contact:
Emma Ahmed, Hill Dickinson
emma.ahmed@hilldickinson.com