The ICO has launched a consultation on the first part of its draft biometrics guidance. It explains how data protection law applies when organisations use biometric data in biometric recognition systems. The guidance is aimed at organisations that use or are considering using biometric recognition systems as well as suppliers of these systems. It is for both controllers and processors.
The guidance looks at the definition of biometric data under the UK GDPR. It also focuses on biometric recognition uses and explains how these involve processing special category biometric data.
It covers:
- what biometric data is;
- when it is considered special category data;
- its use in biometric recognitions systems; and
- data protection requirements that must be complied with.
Biometric data is defined in the GDPR has “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data”.
The key principles in the guidance are:
- Organisations must comply with data protection law then they use biometric data, as it is a type of personal data.
- Organisations must take a data protection by design approach when using biometric data.
- Organisations should do a data protection impact assessment before using a biometric recognition system. This is because using special category biometric data is likely to result in a high risk.
- Explicit consent is likely to be the only valid condition for processing special category biometric data.
- Other conditions may apply, but these will depend on the specifics and the justification for using special category biometric data.
- If organisations cannot identify a valid condition, they must not use special category biometric data.
The guidance does not cover requirements of the data protection regimes for law enforcement purposes of the security services. However, some of the principles explained in the guidance are relevant to these regimes.
The consultation ends on 20 October 2023. The second phase of the guidance (biometric classification and data protection) will include a call for evidence early next year. The ICO is also seeking views on a draft summary economic impact assessment for the guidance, so that it understands the practical impact on organisations and individuals.