On 5 March 2024, the UK data protection regulator (ICO) published guidance on biometric recognition (the Guidance), following a consultation with stakeholders in October 2023. The Guidance clarifies the concept and properties of biometric data and provides practical considerations for organisations contemplating or using biometric recognition systems.
Clarifying the concept of biometric data
The Guidance elaborates on the definition of biometric data, in particular how biometric data may constitute special category personal data, and how the properties of biometric data may increase risks to individuals in the event of a breach.
Definition of biometric data
Biometric data is information that relates to an individual’s characteristics (for instance, fingerprints or voice) processed using “specific technical processing” that allows or confirms an individual’s unique identification. The Guidance further clarifies “specific technical processing” as a processing operation or set of operations applied to a person’s physical, physiological or behavioural characteristics which makes it possible to uniquely identify them.
This differentiates biometric data from other information on an individual’s characteristics. For example, a photograph of a person’s facial features is not biometric data as it has not been subject to specific technical processing. However, if the photograph has been processed and information regarding the individual’s facial features has been extracted and transformed by an algorithm into a biometric feature*, such information will constitute biometric data.
Special category biometric data
The Guidance notes that biometric data may constitute special category personal data, depending on its purpose and inferable properties:
- When biometric data is used for uniquely identifying individuals: Biometric data will constitute special category personal data if it has been processed to uniquely identify an individual. The Guidance further clarifies that, if such a purpose has been determined, biometric data will constitute special category personal data from the moment of collection, not from the point when such data has been used for identification or verification purposes. This means that, for example, biometric recognition systems will be processing special category personal data due to how it uses biometric data (see below).
- If other types of special category personal data can be inferred from biometric data: The Guidance notes that if biometric data can be used to infer special category personal data, such as an individual’s racial or ethnic origin, or health data, such biometric data may be special category personal data in and of itself.
Nature of biometric data
The general permanence and unique nature of biometric data increases risks to individuals, as biometric data represents distinctive features of a person’s physical identity that cannot readily be changed, such as facial features or voice. This sets it apart from other forms of personal data, such as an address or user ID, which may change over time. In the event of a data breach involving biometric data, the Guidance notes that the severity of harm to individuals may be higher due to a loss of control of permanent personal information, and the misuse of biometric data in identity theft can be very hard to identify as fraudulent.
Key takeaways for organisations
Biometric recognition systems** process special category biometric data
The Guidance indicates that, as biometric recognition systems use biometric data for identification purposes, it will be processing biometric data to uniquely identify individuals. This means that biometric data collected and processed by biometric recognition systems will thus constitute special category personal data.
For example, if an organisation deploys a biometric recognition system that scans thumbprints, it will be processing special category biometric data each time it processes thumbprint data as such processing enables the organisation to single out an individual with accuracy, even if the biometric recognition system does not find a match with the biometric sample, or if such processing does not link the biometric features to any other information about an individual (such as their name). This also means that organisations are required to conduct an impact assessment prior to the use of biometric recognition systems.
Alternatives to biometric recognition systems should be considered
The Guidance notes that explicit consent is the most likely condition that will be appropriate for the processing of special category biometric data in biometric recognition systems. The Guidance notes that organisations may also rely on consent as a lawful basis of processing, as such data processing will also require a lawful basis under Article 6 of the UK GDPR, although valid and freely given consent may be challenging to obtain in certain situations (i.e. by employers or public authorities).
To account for such situations, the Guidance advises organisations to offer alternatives to biometric recognition (e.g., a choice between biometric recognition and a PIN/password system for access control) in order to demonstrate that data subjects were provided with a genuine choice. The Guidance further states that organisations must offer alternatives to biometric recognition if neither explicit consent nor another Article 9 condition of the UK GDPR is applicable to the processing.
Managing practical issues in data subject rights for biometric data
The Guidance notes that biometric data presents certain challenges for organisations if a data subject exercises certain rights over such data, and provides practical advice to help organisations respond to or otherwise manage such requests.
- Access requests: Requests to access biometric data may present practical issues; for example, biometric data is likely to consist of complex mathematical outputs in a specific (and often proprietary) machine-readable format that cannot be provided or interpreted by other individuals or systems. The Guidance helpfully clarifies that organisations are not required to translate or decipher biometric data, although organisations should provide individuals with an explanation justifying why such information cannot be provided; a summary of the relevant practical issues; what the information consists of; and how the information is stored.
- Data portability requests: The Guidance clarifies that the right to data portability applies only to personal information provided by an individual. It does not apply to personal information that has been created from other personal information. This means biometric templates (i.e. stored, referential biometric data that was created from provided personal data) do not fall within the scope of data portability requests, although organisations are still required to provide an explanation to individuals.
Commentary
The Guidance highlights the unique nature of biometric data and provides practical considerations for organisations. The Guidance is also timely; in light of recent fines imposed by the ICO on organisations for non-compliant biometric data processing (for more information and commentary on these fines, see our previous posts here and here), it is clear that this remains an enforcement focus for the ICO.
Additional guidance on biometric classification or categorisation systems (i.e. systems that make inferences about people based on observable characteristics) is forthcoming and is expected to be published by the ICO by the end of 2024.
Subscribe to Ropes & Gray Viewpoints by topic here.
* The ICO clarifies “biometric features” to be the key information extracted from a biometric sample (i.e. an image of a face in a digital photograph) which form a digital summary of how an individual’s characteristics make them unique. Biometric features are intended to be readable by biometric algorithms, not by individuals, and thus frequently take the form of a string of numbers or otherwise do not visually resemble the characteristics they describe.
**Biometric recognition systems refer to systems that automatically recognize individuals based on their biological or behavioural characteristics, by comparing biometric features extracted from a newly created sample from the individual against a biometric template for reference.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.