Having considered in detail the rules for collecting biometric data in our last post, in this post we will cover the key rules for handling biometric data post-collection.
1. Establish Strong Access And Use Controls
Given the sensitivity of biometric data, strong access controls should be put in place and access to biometric data should be allowed only on a need-to-know basis.
Further, the use of biometric data should be strictly controlled and limited to what is necessary. Biometric data should only be used for the purpose for which it was originally collected unless individuals have explicitly and freely consented to other uses. Unnecessary linkage between biometric databases with other systems or data bases should be omitted.
2. Delete Data When No Longer Required
Biometric data should be deleted as soon as it is no longer required for the permitted purposes. Let’s say, an employer collects biometric data of its employees for access controls. As soon as an employee ceases to work for an employer, any biometric data that has been collected in respect of that employee should be deleted.
An exception to the deletion requirement might apply where data is used for research or statistical purposes provided the biometric data is anonymised. However, it is difficult to anonymise biometric data so that it really does no longer allow the identification of the relevant individual. Hence, care must be taken when relying on this exception.
3. Ensure Data Accuracy
The basic privacy principle that data stored must be kept accurate and up-to-date also applies to biometric data and might be particularly important in that context. For example, if biometric data is used to record attendance of employees, inaccuracies of the attendance records might lead to serious consequences for employees. Therefore, data controllers that use biometric recognition systems must ensure that false acceptance and rejection rates of those systems are within reasonable limits.
4. Secure Data
Data controllers must take all practicable steps to safeguard biometric data against misuse, loss, unauthorised access, modification or disclosure (as specified in applicable privacy legislation). While the required security measures depend on the individual circumstances, examples include that biometric data should be encrypted while stored or transmitted and that access logs should be kept in relation to biometric data.
5. Devise Policies And Train Staff
Businesses should devise, and make available to staff and other concerned parties, clear guidance and policies setting out the rules for processing biometric data. Staff responsible for the collection and management of biometric data should be properly trained on those policies. Regular privacy compliance assessments and reviews should be conducted.
As biometric data usually constitutes personal data, and frequently sensitive data, the processing of biometric data will generally be subject to applicable privacy laws as are other types of personal/ sensitive data. Data controllers need to ensure compliance with those and there is no magic to it from a legal/ regulatory perspective.
From a best practice point of view, controllers should take privacy considerations into account from the start and throughout the whole lifecycle of any biometric initiative (“privacy by design”) and carry out privacy impact assessments. In some jurisdictions, the latter is mandatory in relation to biometric data.