GDPR PRACTICAL COMPLIANCE – BIOMETRIC DATA
GDPR provides greater protection of personal data and the changes required in data protection standards means
- a broader definition of personal data so that, if anyone can identify a natural person “directly or indirectly” using (according to Recital 26) “all means reasonably likely to be used” then the information is personal data and
- enhanced “special categories of data” (more sensitive personal data which could be used in a discriminatory way, which, as Recital 51 reminds us, merits “specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms”)
What are special categories of data?
Article 9 of GDPR refers to “special categories of data” which is similar to the sensitive personal data under DPA with 2 additions. GDPR “special categories of personal data” include data which reveals an individual’s:
- Ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Sexual life or sexual orientation
- Criminal records, including data about criminal proceedings (and sentence or other conclusion), any alleged offences or offences admitted to or convicted of are included as sensitive personal data under the DPA and have safeguards under GDPR as they are under the control of “official authorities”
- Genetic data and
- Biometric data “for the purpose of uniquely identifying a natural person”
When can special categories of data be processed?
You will not be able to lawfully process special categories of data unless one of ten exceptions apply, including
- the individual’s consent
- processing by a not-for-profit body in connection with members
- processing relating to personal data made public by the individual data subject
- processing which is necessary to
- carry out employment and social security and social protection obligations
- “protect the vital interests of the data subject or of another natural person” if the data subject is physically or legally incapable of giving consent
- for legal claims or by courts
- for “reasons of substantial public interest”
- medical purposes, including public health reasons
- public interest, scientific or historical research purposes or statistical purposes
Using biometric data
Biometric data is increasingly being used to identify an individual in an attempt to combat fraud, including verifying payments and enabling fast processing of transactions using
- fingerprint recognition – fingerprints are unique to an individual and have been used for law enforcement identification purposes for a long time. Once the technology had been developed organisations making mobile phones and devices quickly recognised the potential both for payment and as an additional security or “locking” mechanism for the phone or device as well
- facial recognition – such as the ‘Selfie-Pay’ technology led by MasterCard, wherein the buyer is prompted to take a selfie which is compared against a previously filed reference image
Current feedback from buyers indicates that using biometric data in this way is better than having to remember and then input a password for transactions to be authorised and we are likely to see advances happening very quickly.
This fast-moving technology will mean cheaper, more accessible and effective sophisticated surveillance systems – but how will it be used?
One example is technology from FaceFirst, which is able to identify individuals who are more likely to commit a crime based on their past records and behaviour – for example, a convicted shoplifter who pays multiple visits to a chain of retail stores over a short period of time. FaceFirst (based in California) describes the technology as being “actually less intrusive than traditional video surveillance, in that facial recognition technology only captures biometric information”. The lawful use of special categories of data under GDPR means that its use for ID purposes must comply with one of the ten exceptions where the use of special categories is permitted and would require stringent control.
However, you may feel that such tools are perfect for the police and government law enforcement but what about its accessibility and use in other situations, including retail environments or any location where the public visits? We look for ways of making life easier and the concern is that, because this technology could prove very tempting as a tool to prevent theft or to track suspected radicals its use could become more widespread and it will become the norm. Will, for example, the use of biometric data be seen as a way to protect your employees and as a health and safety tool?
The more that this type of biometric data and technology is used, the more normal it becomes meaning more scope for breaches, including human error.
Finally, remember that what can be used for benefit can also be used for less palatable purposes.