3 minute read | September.13.2023
The ICO has issued a draft guidance on using biometric data and technologies.
Who is the guidance aimed at?
If your organisation develops or uses biometric technologies, you should familiarise yourself with this guidance.
What is biometric personal data?
In recent years, organisations and societies have increasingly relied on biometric technologies, such as facial and fingerprint recognition, to identify and authenticate individuals. A core component of these technologies is the collection of sensitive personal data, including detailed images of individuals’ faces, fingerprints or retinas.
The GDPR defines biometric data as:
“Personal data resulting from specific technical processing relating to physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data”.
The ICO says biometric personal data:
The ICO makes clear that when you are using biometric data to identify an individual, it will be considered “special category” data, triggering additional considerations under the GDPR.
What is biometric recognition?
“Biometric recognition” occurs when biometric data is used to identify someone For example, banks use iris or retinal recognition to allow customers to access their online banking.
It is important to note that just because you have collected data which displays someone’s physical characteristics (i.e., a digital photo), it does not necessarily mean you have collected biometric personal data. The distinguishing factor is how you use the data. For example, if you carry out technical processing to identify an individual, it will be biometric personal data. If you take no biometric recognition, however, it will likely not be considered biometric personal data.
What practical steps should a company take if it processes biometric personal data and carries out biometric recognition of individuals?
The ICO’s guidance is open for consultation by key stakeholders until 20 October 2023. Following receipt of that feedback, the ICO will finalise its guidance. Impacted organisations should be alert to developments and consider how this guidance will affect their processing operations.