Some data protection considerations with regard to the use of biometric data in the private sector

Biometrics has developed very rapidly and is increasingly used for automated authentication and identification procedures in a manner that affects the whole of civil society. Applications include access to school canteens, the payment of tickets for public transport, attendance and working time control systems, and access to facilities or IT systems. The use of biometrics poses risks for basic rights and freedoms and has become one of the major challenges for all those involved in data protection. The SDPC has recommended a number of principles which should be respected in the area of data protection.

In a report adopted at the 26th International Conference of Data Protection and Privacy Commissioners, we recommended various principles which could help guarantee data protection in connection with the use of biometric data. The use of biometrics may involve considerable data protection risks when performing checks on individuals, in particular when information and data files are brought together. On the other hand, one of the advantages of biometrics is that it is possible to ensure that only authorized persons have access to data. Thus, biometrics could become an instrument for safeguarding the private sphere. Clearly, biometrics is not a panacea that can solve all verification and administration problems. Biometric procedures are prone to errors and have shortcomings insofar as the reliability of the results (false positives and false negatives) and data security are concerned. Furthermore, the use of biometrics may lead to discrimination and constitute a violation of human dignity. For these reasons, the following principles should apply to the use of biometric systems in the private sector:

  • Biometrics are only to be used when the intended objective cannot be achieved by less invasive methods.
  • Biometrics may be used for data protection and data security.
  • The principle of purpose limitation must be respected scrupulously.
  • Data subjects must be given clear information, and they must be included in the data processing procedures.
  • Biometric data must be collected directly from the data subject, or at least with his/her knowledge.
  • In order to avoid discrimination, alternatives must be provided for persons who are not in a position to use biometric systems.
  • Biometric data may only be identified by a sample taken from the data subject.
  • The original biometric data must be destroyed once the procedure has been completed.
  • The technologies should not be based on the storage of raw data, but rather on the storage of templates. Biometric data should only be used if no templates need to be stored on a database which is managed by anyone other than the data subjects themselves. This procedure does not raise any data protection problems, provided that the template is stored on a medium used exclusively by the data subjects (chip card, mobile phone, portable computer, etc.).
  • If a database is interrogated by a processing centre and not by the data subject, the selected biometric element could have consequences in terms of the person's fundamental freedoms and rights, particularly when traces are left (e.g. finger prints). The use of such elements must be limited to cases where an overriding security interest is at stake.
  • In all other situations, it is important that other biometric elements be used which limit the risk of abuse and do not leave traces (e.g. the contour of the hand).
  • When using elements that do leave traces and are stored in a database, measures must be taken to ensure that the data are not used for purposes other than those originally specified. For example, the elements contained in a database should be encrypted by means of the template so that the data can only be decoded in the presence of the person to whom the biometric information refers. The template must be application-specific so as to exclude the possibility of combining data from different sources or gaining access to various applications.
  • All necessary steps should be taken to avoid the use of biometric information as a universal user ID.
  • No further details about data subjects, in particular regarding their state of health, should be inferable from biometric data.
  • When used in a authentication/verification system, only the personal data necessary for the authentication may be collected and processed. Whatever solutions are chosen, the identity of the person must not be revealed (anonymous authentication), unless the purpose of the processing should require identification (principle of economic efficiency).
  • Biometric data used in an authentication system should be used exclusively for verification purposes, unless the law expressly provides otherwise (in particular for purposes of criminal prosecution).
  • In order to improve data security and reduce the risk of unauthorized access - particularly appropriation by third parties - it is important to protect the biometric system by additional identification and authentication means, such as access codes. Furthermore, we recommend the use of secure biometric readers in which authorized persons can input their data directly, or the use of systems in which the biometric data are stored on a secure medium, e.g. a chip card.
  • Biometric data must be encrypted during the data input process, as well as before their electronic transmission, particularly if this is done over a network.
  • The reliability of stored biometric data (templates) must be regularly checked (data should be re-registered periodically). The reason is that the biometric characteristics of a person may change over time.
  • The rights of data subjects must be guaranteed. They must retain control over the use of their biometric data and, if they so wish, ask for the data to be destroyed.
  • Biometric information systems must be subject to a certification procedure and a data protection audit. Moreover, systems must be checked for potential risks before they are put into operation. To this end, a safety concept should be developed in which the types of authorized data processing are defined.

With regard to the use of biometric data in the private sector, please refer also to section 7.2. of this Annual Report.

[July 2005]