A GDPR & Data Protection Advisory Note.
Published: 07/02/2020 Last Updated: 12/02/2020
Warning! Dull data protection update below*
- Biometric data is ‘special category’ personal data.
- Consent cannot easily be validly obtained.
- Employers should be aware that the processing of biometric data may expose them to significant risks in case of data breach.
- Contrary to passwords, biometric data cannot be reset following a leak and it is therefore very difficult to mitigate the risk.
What is biometric data?
Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person. Examples are:
- facial recognition
- fingerprint verification
- iris scanning
- retinal analysis
- voice recognition
All biometric data is personal data, as it allows or confirms the identification of an individual. Biometric data is also ‘special category’ data whenever it is processed for the purpose of uniquely identifying an individual. This means that biometric data will be special category data in the vast majority of cases.
Using biometric data fairly
Any organisations planning on using new and innovative technologies that involve personal data, including biometric data, need to think about these key points:
- Under the GDPR, organisations are required to complete a Data protection Impact Assessment (DPIA) where their processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’ such as the (large scale) use of biometric data.
- Because biometric data is classed as special category data under GDPR, any consent obtained must be explicit.
- Explicit consent must be expressly confirmed in words, rather than by any other positive action.
Biometric data in the employment context
The use of biometric data in an employment context is increasingly common for security reasons and fraud prevention. This is often in the form of fingerprint verification, but there are some potential pitfalls to take into consideration, as the following illustrates:
- An employer, relying on its legal obligation to implement appropriate technical and organisational measures, introduced a fingerprint-based authorisation system to control employee access to part of its computer system. The employer considered that its former personal code-based system was no longer secure and risked being circumvented or hacked.
An employee refused to provide her fingerprint, stating that the imposed system infringed her data protection rights. The Court decided that the employer could not impose the fingerprint-based authorisation system, and consent from employees could not be relied on as a lawful ground.
- Researchers were able to access a database with the fingerprints of over 1 million people and facial recognition data that security company Suprema managed on behalf of its clients across the globe (including the UK Metropolitan police, defence contractors and banks). These researchers showed that they were able to tamper with this data, adding their own fingerprints to existing users or adding new users.
- A major security concern is that, contrary to passwords, biometric data cannot be reset, and it is therefore very difficult to mitigate the risk in the event of a security incident.
Minimising the risk
- Employers should always look into alternative measures that simply do not require the processing of biometric data, but which might attain the same envisaged purpose in a less intrusive manner (i.e. which are more appropriate).
- In any event, employers should also consider the need to carry out a data protection impact assessment, which is a process to help you identify and minimise the data protection risks of a project.
- Compliance with other requirements of data protection law must be considered as well. This includes e.g. compliance with:
- The transparency requirement, e.g. are the employees sufficiently informed of the biometric data processing and their rights under data protection law?
- The data minimisation requirement, i.e. is the processing of biometric data “adequate, relevant and limited” to what is necessary for the purpose?
- The data retention requirement, i.e. limiting the retention of biometric data in a form which permits identification of data subjects.
- Data breaches involving biometric personal data are by nature more difficult to contain. As a result, these types of breaches are likely to draw additional media attention causing significant and persistent damage to the employer.
The processing of biometric data is not to be taken lightly, particularly in an employment context.
The International Organisation for Standardisation (ISO) has published ISO/IEC 39794-1, ISO/IEC 39794-4, and ISO/IEC 39794-5 for biometric data interchange formats. In particular, the ISO outlined that these Standards provide a common language allowing for the interoperability between different biometric technologies. Moreover, the ISO highlighted that the Standards are the first of an additional series, and that they address, among other things, finger and face image data.
*We’re not sure if the above is interesting, but it’s definitely not legal advice.