On May 23rd, 2014, the Italian Data Protection Authority (“DPA”) launched a public consultation on biometric identification and signature.
Stakeholders are invited to submit their comments about two draft documents regarding the collection and the use of biometric data, issued by the DPA: (i) a general decision (hereinafter, the “General Decision”) and (ii) a set of guidelines (hereinafter, the “Guidelines”).
The DPA provided for strict and enhanced security measures regarding collection, storage, transfer and deletion of biometric data, as detailed in the General Decision and in the Guidelines, to be implemented whenever a data processing involves biometric data.
Such supplementary security measures include, for instance, strong encryption methods, the compliance with ISO standards and the recording of access logs.
A part from the security measures, the data controller shall have to comply with further provisions.
In deed, before starting the processing the data controller shall have to file a notification before the DPA and to provide the data subjects with a comprehensive notice, including all the needed information regarding the purposes and the modalities of the data processing.
Although, in principle, also a prior checking of the DPA would be needed (see Section 17 of the Italian Data Protection Code, hereinafter “IDPC”), the General Decision, with regard to four categories of processing of biometric data, provides for a specific exemption, as far as: (i) all the technical measures and safeguards, detailed in the General Decision, are duly implemented; (ii) all general requirements under the IDPC concerning the processing of personal data – mentioned in the Guidelines – are met.
Therefore, a prior approval of the DPA would not be needed for the following types of data processing:
When biometric data of the subjects in charge of the processing are used as credentials of an electronic authentication procedure related to a specific processing or set of processing of personal data.
Control of physical access to “sensitive” areas:
When the implementation of biometric systems, based on the finger print or the topography of the hand, are aimed at limiting the access to “sensitive” areas, where needed to meet high and specific levels of security, or at restricting the use of dangerous machineries.
Using the finger print or the topography of the hand in order to facilitate some activities:
When biometric systems are used to allow, regulate and simplify the psychical access of the users to specific areas or services.
Signing of electronic documents:
When the processing of biometric data regards dynamic information associated to the handwritten signature on special devices (i.e. tablets) and the processing does not involve a centralized storage of biometric data.
Before concluding, it is worth mentioning that the DPA provided for different sets of security measures, depending on the nature of the biometric data involved in the processing and on the specific purposes and modalities thereof.
In this respect, the Guidelines consider the different features of any category of biometric data (including, voice and face recognition, dynamic signature, hand geometry and iris scan) and the major risks that a processing of biometric data may involve: possible discriminatory uses, identity thieves, false authentications and spoofing.
In particular, the DPA stressed the fact that such risks may also be increased in a mobile and BYOD environment. In deed, the use for business purposes of mobile devices, that may be used in a personal or family context and where applications might be installed by the employees without any control, has an impact on the level of risk and, consequently, on the security measures to be adopted (e.g. implementation of software for Mobile Device Management or Mobile Device Auditing).
In any case, biometric data shall have to be retained solely for the strictly needed period and the data controller shall have to promptly notify to the DPA any breach concerning biometric data.
The deadline for the stakeholders to submit their comments will expire on June, 24th.