The Information Commissioner’s Office (ICO), the personal data protection authority in the United Kingdom (UK), is running a public consultation on its draft guidance on biometric data which covers the requirements under the UK General Data Protection Regulation (GDPR) (similar to the EU GDPR, with extraterritorial reach) for such data. Vendors or users of biometric recognition systems, including both controllers and processors, would be required to comply with the guidance once finalized. As the definition of biometric data is relatively broad and includes, for example, a person’s voice or face that have been analysed using technology for the purposes of identifying such person, the draft guidance is likely to apply to a wide range of companies across all industry sectors in and outside the UK. The consultation includes 20 questions and we encourage participation, via completing the survey, or by downloading the word document through this link and forwarding the response to biometrics@ico.org.uk. The ICO will close the consultation on 20 October 2023.
The draft guidance provides detail on the definition of biometric data under the UK GDPR, as well as when such data is used for biometric recognition. It confirms that both ‘identification’ (when biometric data of one person is compared with that of many to find a match) and ‘verification’ (when a person provides data that is compared against their stored biometric record) are processes that require biometric data in order to uniquely identify a person. It also explains that, by default, any biometric recognition system uses biometric data (which is by default personal data), whether for identification or verification purposes. Further, it states that although all biometric data is not automatically special category data, data used by biometric recognition systems will be is classified as special category biometric data, because of the particular purpose for which such data is used. The draft guidance also summarises the UK GDPR requirements which apply when using biometric data, and other recommended steps, such as deploying privacy enhancing technologies (PETs) and taking into account vendor due diligence considerations.
The consultation on the draft guidance is broadly concerned with whether the guidance adequately describes the benefits and risks of biometric data with a clear explanation, and whether the proposed biometrics guidance impact assessment could be improved. Please contact one of our team members if you would like assistance with contributing to this highly topical draft guidance.