The ICO has issued guidance explaining how data protection applies to the use of biometric data, which is considered a special category data when used for identification purposes, and indeed the guidance is focused on “biometric recognition”, which is the automated recognition of individuals based on their biological, physical or behavioural characteristics, such as facial recognition.
The guidance sets out:
- How you can demonstrate your compliance with your data protection obligations when using biometric data
- How you can process it lawfully, fairly and transparently
- How the accuracy principle applies and when you need to resample the biometric data
- Dealing with individuals’ rights
- Keeping biometric data secure
You can find out more about the guidance here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/
It’s worth noting an ICO enforcement case where the ICO ordered firms to stop using biometrics to monitor employee attendance.
They were using the biometric data to determine attendance and to determine how much to pay them for their time. But the ICO, felt they were unable to show that it was necessary and proportionate and there were less intrusive means available (e.g. door fobs, ID cards, etc.).
Not only does this enforcement action highlight the challenges of using facial/fingerprint technology for identification purposes, it highlights that in the context of employee-employer relationships there is an imbalance of power, when employees were not offered an alternative – i.e. employees felt compelled to agree to the use of their data in this way.
Details about the enforcement action can be found here: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/02/ico-orders-serco-leisure-to-stop-using-facial-recognition-technology/
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR