Biometric data is one of the nine types of special category data listed in the UK General Data Protection Regulation (UK GDPR).
Special category data requires additional protection due to its sensitive nature, and the UK GDPR sets out specific requirements that must be met when this type of data is used (processed) in order to protect it.
What is biometric data?
Biometric data is information that relates to a person’s characteristics (such as a fingerprint or facial image). Personal data can only be biometric data if it:
- Relates to someone’s physical, physiological or behavioural characteristics;
- Has been processed using specific technologies; and
- Can uniquely identify the person it relates to.
The ICO’s new guidance on biometric recognition clarifies the concept of biometric data and provides practical examples for businesses that are considering using biometric recognition systems. You can read the guidance in more detail by clicking here.
Many biometric recognition systems and technologies will be processing special category data due to how they use biometric data.
When can we use biometric data?
You must identify both a lawful basis under Article 6 of the UK GDPR, and a separate condition for processing special category data under Article 9 of the UK GDPR.
There are a number of conditions which can be relied on under Article 6 and Article 9, however, in the case of biometric data, obtaining explicit consent is likely to be the most appropriate option. There are however, difficulties with this, and it may not always be a valid option, for example, if businesses are using biometric recognition systems for systematic monitoring of public spaces, or where the requirements of consent cannot be met.
In order for consent to be valid under the UK GDPR, it must be specific and informed. This means that the individual must fully understand what it is that they are agreeing to. The individual must also be given a genuine choice over how their personal data is used. Businesses must:
- Give individuals the opportunity to withdraw their consent at any time.
- Offer individuals an alternative method to collect their personal data if they choose not to consent.
- Consider whether consent is the most appropriate lawful basis, especially where there is an imbalance of power, for example, between employers and employees.
If the way in which the data is being processed changes or the purposes for which data is being collected changes, then fresh consent from the individual must be sought.
What are the key takeaways?
There are a number of challenges businesses will face when processing biometric data. However, despite the risks, the use of biometric systems can be beneficial and reduce administrative workload. As a matter of best practice, we would recommend that businesses think about the following:
1. Data Mapping: review and update your Written Record of Processing Activities (RoPA). Record the type of personal data you will be processing via new biometric system(s), as well as identify your lawful basis for processing. Ensure that the processing is fair i.e. the data must be used in a way that individuals would reasonably expect and in such a way that does not have any adverse effects on them.
2. Risk Assessment: You must assess the impact that the use of a new system will have on the individuals who you are processing personal data about. You should complete a Data Protection Impact Assessment (DPIA) to support the processing of biometric data. You should also ensure that there are appropriate technical and organisational measures in place to protect the personal data against unauthorised or unlawful processing (amongst other things).
3. Transparency: You should update your data protection documents and explain the use of the biometric recognition system. This should include identifying the potential impacts of any decisions that the system makes and setting out what other options are available if an individual does not consent to having their data processed in this way.
4. Data Subject Rights: individuals can make requests to access their biometric data, and this may present your business with a number of practical issues depending on the format in which the data is held. Businesses will still be required to explain to the individual why information cannot be provided (if it cannot be), and a summary of what information consists of, how it is stored and whether it is shared with anyone.
5. Automated Decision Making: if a biometric system is making fully automated decisions about people (i.e. it is making decisions without human intervention), additional protections apply. The UK GDPR protects individuals again solely automated decisions that have a legal or significant effect on them and a DPIA should be conducted to assess the risks.
6. Use of Third Parties: The ICO’s guidance on biometric data will also apply to other data controllers, processors and sub-processors who are involved in the operation of biometric recognition systems. You should ensure that the relevant contracts are in place with third parties and that these contain the relevant data protection clauses. Due diligence will be important before entering into any new contracts.
If your business processes biometric data and you have concerns about how to process the data lawfully, please contact me directly at mspencer@prettys.co.uk or a member of the Data Protection & Privacy Team.