What is biometric data?
To be deemed ‘biometric data’, the personal data must:
- relate to someone’s physical, physiological or behavioural characteristics (e.g. voice, fingerprints, etc);
- have been processed using specific technologies; and
- uniquely identify the specific person it relates to.
Is biometric data special?
Biometric data is treated as a ‘special category’ of personal data when used for the purpose of uniquely identifying someone. Processing special category personal data requires greater standards as it is more sensitive or private than other kinds of personal data.
What data protection implications need to be considered?
- Lawful use: As well as identifying a lawful basis under Article 6 of the UK GDPR, because the personal data is a special category of data, your organisation will also need to apply an ‘additional condition’ under Article 9. Analysis of potential lawful basis and additional conditions requires detailed consideration of the processing purposes. The ICO’s guidance suggests that in a large number of cases, ‘explicit consent’ may be required, and valid consent has specific parameters under data protection law. To rely on most lawful basis and additional conditions you will need to consider whether the use of biometrics is necessary and if there is a possibility of implementing less intrusive alternatives. If biometric data is used, the use must be justifiable.
- Transparency requirements: Individuals need access to a privacy notice which can be difficult to achieve alongside “on the go” technology.
- Data Protection by Design: A data protection by design approach must be taken. This will involve consideration of data protection and privacy issues prior to implementing a biometric recognition system. This consideration will continue throughout the systems lifecycle.
- Higher standard of security: Appropriate technical and organisational measures must be in place, the UK GDPR expects that a higher standard is applied to more sensitive data such as biometrics.
- Service provider contracts: If you are using a provider to host/manage the system, they must provide sufficient guarantees that stringent security measures are in place, and a data processing agreement must be entered into.
- Data Protection Impact Assessment: You must conduct a DPIA if the intended use of data is of high risk to the rights and freedoms of individuals. Therefore, a DPIA is likely to be required when a biometric recognition system is being used. A DPIA will help to demonstrate your organisation’s compliance with data protection law and also highlight any data protection risks.
Should you have any queries in relation to biometric recognition systems, the lawful basis for using biometric data and/or more generally wish to discuss your compliance with the data protection laws, please do not hesitate to get in touch with Valerie Armstrong-Surgenor, Partner or Melissa Hall, Associate in the IPTC team at Morton Fraser MacRoberts.