Guidance explains how data protection law applies when using biometric data in biometric recognition systems.
The ICO has launched a consultation on the first part of its draft biometrics guidance. It explains how data protection law applies when organisations use biometric data in biometric recognition systems. The guidance is aimed at organisations that use or are considering using biometric recognition systems as well as suppliers of these systems. It is for both controllers and processors.
The guidance looks at the definition of biometric data under the UK GDPR. It also focuses on biometric recognition uses and explains how these involve processing special category biometric data.
Biometric data is defined in the GDPR has "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data".
The key principles in the guidance are:
The guidance does not cover requirements of the data protection regimes for law enforcement purposes of the security services. However, some of the principles explained in the guidance are relevant to these regimes.
The consultation ends on 20 October 2023. The second phase of the guidance (biometric classification and data protection) will include a call for evidence early next year. The ICO is also seeking views on a draft summary economic impact assessment for the guidance, so that it understands the practical impact on organisations and individuals.