The Secure Check pilot project was carried out at Zurich Kloten airport from December 2004 to mid-April 2005. The aim of the project was to improve the verification of passenger data as well as their travel documents upon departure by means of biometric data and to reduce waiting time at the security checkpoints. Our inspections of the biometric system used during check-in and boarding procedures allow us to issue a generally positive assessment. Nevertheless, the use of biometrics at Zurich Kloten airport does raise some fundamental issues.
In December 2004, Checkport Switzerland together with Swissport Switzerland and SWISS International Airlines launched Secure Check at Zurich Kloten airport. We participated in the test phase of this pilot project in our capacity as the data protection supervisory authority for the private sector and verified compliance with data protection requirements. The inspection focussed primarily on the collection and processing of biometric data. Given that this new technology was being used for the very first time (biometric procedure) and involves the processing of sensitive personal data, it was essential for us to examine the facts and verify the data protection mechanisms put in place before the implementation of the pilot project got underway.
Two meetings were organised on site at Zurich airport with the partners involved in the project, Swissport, Checkport and SWISS, to discuss the factual issues. During the first phase of the pilot project passengers provided two digital fingerprints which were scanned and transformed into templates so as to enable authentication at the boarding gate. In a second phase the two fingerprints were replaced by two facial images. The reliability of biometric matching varied over the two visits depending on the biometric characteristics used. For example, we noted that the facial images provided a higher degree of reliability. Both the fingerprint and the facial image templates were stored on a smart card which passengers kept with them until they reached the boarding gate. During the Secure Check pilot project no biometric data were stored on a central database.
The inspection, which was carried out pursuant to article 29 of the DPA, prompted us to give a generally positive assessment of the way biometric data had been handled. The measures set out in the pilot project for the definitive implementation of the system point in the right direction. However, we say in our final report that there are a number of points of principle with regard to the use of biometrics which need to be taken on board by the project management during the definitive implementation of the Secure Check project.
The following points need to be considered carefully:
- The transparency of the data processing needs to be improved by providing the persons concerned with clearer information about the different categories of processed data (identity, flight, biometrics, statistics, etc.) from the time they are collected to the moment they are destroyed. It is particularly important that data should be deleted physically and not just logically, that deletion is carried out at the earliest opportunity and that it is comprehensive (including temporary files).
- As this is the first time that biometric data are being collected, it would not be surprising if third parties, such as airport police or foreign immigration authorities, suddenly discovered an interest in them. The project management must be aware of the desire this might generate before the definitive implantation of Secure Check and must ensure that no biometric data are made available to outside third parties (such as the authorities) unless there are very sound reasons for doing so (e.g. a legal basis; cf. article 13 paragraph 1 of the DPA).
- Any modification of the Secure Check project which might lead to the centralised storage of biometric data or involving the storage of raw data would require a more detailed analysis from a data protection perspective, and is not covered by the present report. The principle of purpose limitation would need to be reconsidered and redefined if a decision were to be taken to transfer the biometric data to external authorities.
As the authentication of biometric characteristics is not 100% reliable, we have suggested that multimodal authentication (i.e. combined with other personal characteristics such as a personal identification number) be used for the definitive roll-out of the Secure Check system. It is equally important that if certain biometric characteristics are not available or can only be read with difficulty, equivalent alternatives capable of ensuring correct and reliable authentication should be provided for and made available.
The full report of the data protection inspection is available in German on our website http://www.edoeb.admin.ch/.