ICO Publishes New Guidance on the Use of Biometric Data

The Information Commissioner’s Office (ICO) has published a new section on its website which provides  detailed guidance on the use of biometric data. The guidance outlines how data protection law applies to biometric recognition systems that utilise biometric data, and how firms can comply with data protection regulations.

The guidance from the ICO is primarily for firms that use, or are considering using, biometric recognition systems, but it is also relevant for  the providers of these systems, including vendors and developers, and other relevant third parties involved with their use, such as controllers or processors.

What is biometric data?

Biometrics involves the identification and or authentication of individuals through the recognition of unique characteristics. This includes:

  • Facial recognition
  • Fingerprints
  • Speech recognition
  • DNA matching, and
  • Signature recognition

The data is then compared to the biometric data of several other individuals in a database. Biometric data is considered a form of personal information. Unlike passwords, badges, or documents, it offers a higher level of security and accuracy as it cannot be forgotten, stolen, or easily forged.  

How is the new guidance relevant?

The application of biometric data in financial services has potential, however, it has garnered controversy as some feel that it poses a threat to data protection rights and freedoms. Many also have concerns about the risk of harm in the event of inaccuracies or security breaches, as this can be difficult to rectify compared to, for example, resetting a password.

The release of the ICO’s guidelines is timely as it follows a series of separate enforcement notices concerning the monitoring of employees using their biometric data. Most recently, the ICO announced that leisure centre firm, Serco Leisure, had been found to have unlawfully processed the biometric data of more than 2,000 employees across 38 of their UK facilities.  

The company's staff, who are also subject to fingerprint scanning, were not offered an alternative to having their biometric data collected, and the firm failed to justify the necessity of the practice when there are less intrusive methods  of monitoring attendance, such as ID cards or fobs.

Last year, the ICO published guidance on monitoring employees and called on firms to consider both their legal obligations and their employees’ rights to privacy before they implement any form of monitoring.

Firms who are using or considering the use of biometric date should consider:

  • whether alternatives could be implemented to achieve the desired outcome;
  • whether extra security measures are needed for the collection, use and storage of biometric data;
  • if the use of biometric data for access control is necessary and proportionate for its intended purpose.

About the author

Jessica joined RWA in 2018, having graduated with a First Class Honours degree in Film Studies. Her role as a content designer involves developing new and engaging e-learning modules as well as assisting in the creation of articles for Insight. 

Get UKGI Insight In Your Inbox

Regular business news and commentary delivered direct to your inbox each week. Sign up here