ICO Issues Draft Guidance On Biometric Personal Data

The ICO has issued a draft guidance on using biometric data and technologies.

Who is the guidance aimed at?

If your organisation develops or uses biometric technologies, you should familiarise yourself with this guidance.

What is biometric personal data?

In recent years, organisations and societies have increasingly relied on biometric technologies, such as facial and fingerprint recognition, to identify and authenticate individuals. A core component of these technologies is the collection of sensitive personal data, including detailed images of individuals’ faces, fingerprints or retinas.

The GDPR defines biometric data as:

“Personal data resulting from specific technical processing relating to physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data”.

The ICO says biometric personal data:

• Relates to someone’s behaviour, appearance or observable characteristics (i.e., a person’s voice, fingerprints or face).
• Has been extracted or analysed using technology (i.e., a specific software is used to analyse an individual’s voice tone or pitch).
• Can uniquely identify a person.

The ICO makes clear that when you are using biometric data to identify an individual, it will be considered “special category” data, triggering additional considerations under the GDPR.

What is biometric recognition?

“Biometric recognition” occurs when biometric data is used to identify someone For example, banks use iris or retinal recognition to allow customers to access their online banking.

It is important to note that just because you have collected data which displays someone’s physical characteristics (i.e., a digital photo), it does not necessarily mean you have collected biometric personal data. The distinguishing factor is how you use the data. For example, if you carry out technical processing to identify an individual, it will be biometric personal data. If you take no biometric recognition, however, it will likely not be considered biometric personal data.

What practical steps should a company take if it processes biometric personal data and carries out biometric recognition of individuals?

1. Carry out a Data Protection Impact Assessment.
   
   
2. Determine whether you are acting as a controller or processor of the data.
   If acting as a controller, review third-party contracts and consider how third parties use biometric personal data. For example, AI solutions typically wish to use customer data to develop AI models, making it important to determine if your agreements accurately reflect this.
   
   
3. Obtain explicit consent, unless you can determine if one of the Article 9 GDPR exemptions applies.
   The ICO notes that explicit consent is likely the only valid condition for processing special category biometric data. Consider whether you have obtained valid consent. You must offer a suitable alternative to people that do not consent.
   
   
4. Consider compliance with wider principles of GDPR (for example, accuracy of processing, data minimisation and data security).

What’s next?

The ICO’s guidance is open for consultation by key stakeholders until 20 October 2023. Following receipt of that feedback, the ICO will finalise its guidance. Impacted organisations should be alert to developments and consider how this guidance will affect their processing operations.