Once confined to scientific research and criminal investigations, biometric data is now frequently used in everyday scenarios like building access controls, mobile devices and airport security checks.  It is hailed for enhancing security but it is also feared for invading privacy.   In this post, you will learn five basics you should know about biometrics. Click here for the introduction to our Biometrics Series.

1. What Is Biometric Data?

Biometric data is data about an individual’s physiological or behavioural characteristics. 

Physiological characteristics are unique biological features with which an individual is born such as DNA, fingerprints, facial feature, iris and retina.

Behavioural characteristics are distinctive mannerisms developed after birth such as a person’s handwriting, typing rhythm or voice patterns.

2. How Do Biometric Systems Work?

Biometric systems typically involve two stages:

  • In the first stage (often called “enrolment stage”), a biometric device such as a finger scanner takes a biometric sample from an individual, which is then analysed and either stored as raw data or converted into a biometric template which is stored (see under 3 for more).
  • In the second stage (the “matching stage”), newly presented biometric information is detected by a biometric device and compared against the biometric information stored at the time of enrolment.  The comparison seeks to identify an individual or verify that an individual is who he/she claims to be.

3. How Is Biometric Data Stored?

For security reasons, biometric data is usually stored in a “template” rather than in its original form.   The biometric system creates a digital “template” from the sample taken by extracting distinct characteristics from the biometric sample and converting them into a mathematical representation.  It should be technically infeasible to convert the template back to the original sample. 

The biometric template is either stored in a central database or on an object in the individual’s possession like a smart card (or both).

4. How Are Privacy Laws Relevant To Biometric Data?

Biometric data directly relates to an individual and frequently allows an individual’s identification.  In fact, the very purpose of biometric systems is generally the identification of individuals.  Therefore, in most circumstances, biometric data falls plainly under the definition of personal data, and its handling may be subject to privacy laws around the world. 

Some legislators even classify certain types of biometric information as “sensitive information” to respond to concerns that biometric data may reveal sensitive information such as a person’s health or ethnic origin and may be collected and used without the individual’s knowledge.  For example, in Australia, biometric templates and information that is to be used for the purposes of automated biometric verification or identification constitute sensitive data and are therefore subject to more stringent requirements.

In Europe, by contrast, a different approach is being adopted under the forthcoming General Data Protection Regulation. Biometric data will not be classified as sensitive information.  However, recognising the risks to individuals associated with the processing of biometric data, controllers and processors will be required to conduct privacy impact assessments to be carried out prior to certain instances of processing of biometric data.