The Biometrics Institute’s mission is to promote the responsible use of biometrics. Protection of biometric information is a critical topic for discussion. The Biometrics Institute’s Privacy and Policy Expert Group (PEG) has been discussing the EU GDPR (General Data Protection Regulation) on an ongoing basis, most recently at a seminar in Brussels in April, and during a webinar in July (2018).
I thought it would be useful to ask the PEG about some of the important implications of the GDPR to help clarify some of the questions I am regularly hearing in our meetings. We published a recent blog on privacy that you may like to revisit but this time I was discussing some of the key questions that could help to ensure responsible use of biometrics. Below is the response from the PEG. You may find these questions useful as you start your biometric journey.
Key questions for the responsible use:
1. Is the collection of biometric data proportional?
For example, does a school need to fingerprint children to pay for school dinners when it could be done via an honesty system or swipe card. The collection of face, finger and iris biometric samples to de-duplicate 1.2 billion residents of developing nation for inclusion and the equitable distribution of benefits may be considered proportional whereas the collecting the same information to access a social media platform would likely not.
2. Has informed consent for the collection biometric data been received from the data subject?
- Use opt-in consent wherever practicable
- If consent is not being relied on for processing, then what other lawful basis is being relied on?
- Can a minor provide informed consent in the target environment?
3. Has the biometric system and its owner been accredited? By whom? When?
- What are the applicable data privacy and protection regulations?
- Has a PIA or equivalent been published?
- The above question assumes that a DPO needs to be appointed.).
- Does a Data Protection Officer (DPO) need to be appointed?” (This may not always be the case for example, if the processing is not a core activity and is of low volume).
- Consider whether your activities in operating or supplying the biometric system makes you a data processor or data controller or a joint data controller?
4. What data subject information is shared with the data subject (data portability) or others (data sharing)?
- What biometric data is stored?
- How is biometric data protected?
- How long is the data subject’s biometric data retained? Is it deleted/destroyed in a timely manner using secure methods – GDPR compliant erasure?
- Is biometric data shared across borders? Where? with whom?
- Who has accessed the data subject’s biometric data? For what reason? Was there explicit consent given?
- Are audit logs available and non-repudiable?
- Will the data subject be asked to provide consent if the biometric is to be used or shared in a way different from the initial consent?
5. Can the data subject request that their biometric data be updated? Or erased?
You may also like to have a look at the Biometrics Institute Privacy Guidelines and join our discussions in London on the 17-18 October and Canberra on the 28 November where we will hold important discussions about privacy and the important checks and balances that are needed.