In this post, we provide you with four key rules for collecting biometric data to ensure the collection is privacy-compliant. While extracted from the recent Guidance on Collection and Use of Biometric Data issued by the Hong Kong Privacy Commissioner and from a 2011 Guidance issued by the Canadian Privacy Commissioner, these rules are of global relevance.
1. Only collect the biometric data you really need
In line with the general collection limitation principle, the collection of biometric data must be:
- for a lawful purpose related directly to the collecting organisation’s functions and activities; and
- necessary and not excessive for achieving such purpose.
In other words, because of the sensitivity of biometric data, its collection requires a strong justification. If an intended (valid) purpose can be achieved by collecting less sensitive biometric data or other data, then only that data must be collected. Biometric systems should not be adopted because they are the most convenient or cost-effective option, they must only be implemented if they are necessary and there is no less privacy-invasive way of achieving an intended outcome.
2. Conduct privacy impact assessments prior to the collection
Privacy impact assessments should be conducted before biometric data is collected in order to determine whether the collection of biometric data is necessary and, if so, to what extent. This is also the approach likely to be adopted under the forthcoming EU General Data Protection Regulation which appears to not classify biometric data as sensitive data but requires privacy impact assessments to be carried out in certain instances of processing of biometric data.
3. Provide notice. Offer choice. Obtain consent.
In line with the general notice and choice principles, prior to the collection of biometric data, the relevant individuals must be informed comprehensively about the impact of the intended collection and use of biometric data and they should be offered the choice of less privacy-intrusive alternatives. Their free and express consent must be obtained prior to the collection. The (in practice frequently used) covert collection of biometric data violates this rule.
4. Apply Risk Minimization Techniques
Where possible, risk minimization techniques should be applied, including that:
- biometric templates (which consist of summary information only) rather than raw data should be stored to minimize the amount of data stored;
- generally, verification biometric systems should be favoured over identification systems as they collect less biometric features;
- if possible, biometric information should be stored locally (such as on smart cards or security tokens) rather than in central databases as it gives individuals more control over their biometric information and reduces the risk of data loss or inappropriate cross-linking of data across systems.
While the Hong Kong and Canadian guidance documents are not rocket-science, in the absence of other guidance, they are helpful reference points for those looking to implement biometric systems in a privacy-compliant way.