Privacy concerns and consent for biometric data

12th July 2024

Since we rely on digital services more than ever before,  more and more aspects of our lives require access to online software or applications. 

From emails and social media, to accessing government services and essential utilities, our personal identifiable information is transferred between multiple organisations—and with it comes security concerns.

Increasingly, our biometric data is being used for access to these services, and if you’re a business or institution that processes and stores customer biometric data, how can you manage biometric privacy concerns and consent?

What is biometric data?

Biometric data refers to unique physical or behavioral characteristics of individuals used for identification and authentication purposes. 

These characteristics include but are not limited to:

• fingerprints
• facial features
• iris patterns
• voice recognition
• DNA

Because these traits are inherently unique to each person, biometric data provides a highly reliable method of verifying identity. It’s commonly employed in security systems - for example, unlocking smartphones, accessing secure facilities, and in government identification programs like passports and national ID cards. 

The use of biometric data enhances security by reducing the risk of identity theft and unauthorised access, as it’s much harder to replicate or steal compared to traditional passwords or PINs. However, the collection and storage of biometric data raises privacy and ethical concerns, as it involves sensitive personal information that, if misused or breached, can lead to significant privacy violations.

What does GDPR say about biometric consent?

According to Article 9 of UK GDPR, organisations have to make special considerations for processing ‘special categories of personal data’. This includes personal data that:

• Reveals racial or ethnic origin
• Reveals political beliefs or trade union membership
• Reveals religious or philosophical beliefs
• Is biometric data for the purpose of uniquely identifying a person
• Is data concerning health or a person’s sex life or sexual orientation

Because biometric data is considered to be personal information by the ICO, if you’re a British organisation you must comply with data protection law when you process it, and explicit consent is likely to be the most appropriate lawful basis to do so.

Importantly, UK GDPR states that “if you can’t identify a valid condition, you must not use special category biometric data.”

The six lawful bases for processing personal information are consent, execution of a contract, a legal obligation, vital interests, a public task and legitimate interest, and all of these apply to ‘special categories of personal data’ too. However, under Article 9, there are an additional four lawful bases for processing biometric data. They are:

1. Processing relates to personal data which are made public by the data subject;
2. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.
3. Processing is necessary for the public interest in regards to public health, for example protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care, medicinal products or medical devices.
4. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1).

If you’re an organisation that processes the personal information of EU citizens, you can find out what you have to do to secure biometric data consent here.

READ MORE: How UK GDPR impacts Digital Asset Management

The impact of AI on biometric data

Artificial intelligence is having a big impact on every digital industry, and how organisations handle biometric data is no different.

AI has the ability to analyse and process vast amounts of biometric data, while machine learning algorithms can detect patterns, anomalies and irregularities within biometric data. AI also constantly evolves, meaning an AI-powered system can adapt to changes in specific biometric characteristics to ensure they are as robust and secure as possible. For example, machine learning algorithms can detect patterns, anomalies and irregularities within biometric data, which helps in identifying and preventing fraudulent activities.

However, there are also ethical implications and biometric privacy concerns that come with the use of AI technology.

First of all, there’s the risk of unauthorised access or data breaches when AI algorithms process and analyse sensitive information.

Secondly, there’s serious questions around bias and discrimination when AI algorithms are used for processing biometric data. If the training data used for AI models is biased, it can result in inaccurate identification or verification.

Using AI for processing biometric data also risks breaching your legal obligations under UK GDPR. While human-controlled processes can be managed more strictly, AI can be susceptible to ‘function creep’, where the use of biometric data expands beyond the original purpose without the individual’s explicit consent.

Strategies for effective biometric consent management

For biometric data consent processes to be effective and compliant with GDPR, they must be clear, accessible and revocable. They shouldn’t be hidden in contract clauses, but instead easily understandable in a standalone policy document, and presented in a way that allows customers, users, employees and other stakeholders whose biometric data you need to process to digest the information and make an impartial decision.

Let’s take a look at ten specific strategies in more detail.

1. Clear and transparent communication

• Detailed explanations: Clearly explain what biometric data is being collected, why it is being collected, how it will be used and who will have access to it.
• Plain language: Use simple, non-technical language to ensure all users understand the consent request.

2. Informed consent

• Comprehensive information: Provide detailed information about the potential risks and benefits associated with the collection and use of biometric data.
• Opt-in processes: Use active opt-in processes rather than passive opt-out methods to ensure explicit consent.

3. Granular consent options

• Specific consents: Allow users to consent to specific types of data collection and processing activities, rather than a blanket consent for all activities.
• Revocation options: Provide easy-to-use options for users to withdraw consent at any time.

4. Data minimisation and purpose limitation

• Minimal data collection: Collect only the biometric data that is necessary for the stated purpose.
• Specific use cases: Clearly define and limit the use cases for the collected biometric data.

5. Security measures

• Data protection: Implement robust security measures to protect biometric data from unauthorised access, such as encryption and secure storage solutions.
• Regular audits: Conduct regular security audits and assessments to ensure ongoing compliance with data protection standards.

6. User control and access

• User portals: Provide user-friendly portals where individuals can manage their consent preferences, view the data collected about them, and request deletion or correction of their data.
• Transparency reports: Offer transparency reports that detail how biometric data is being used and any third-party sharing that occurs.

7. Compliance with regulations

• Legal adherence: Ensure compliance with relevant laws and regulations, such as GDPR or specific biometric data protection laws.
• Documentation: Maintain thorough records of consent forms and consent management processes to demonstrate compliance.

8. Training and awareness

• Employee training: Train employees on the importance of biometric data protection and the proper procedures for obtaining and managing consent.
• User education: Educate users about their rights and the importance of biometric data security.

9. Third-party management

• Vendor contracts: Ensure that third-party vendors who have access to biometric data comply with the same standards and practices for consent and data protection.
• Data sharing policies: Clearly communicate policies regarding data sharing with third parties and obtain explicit consent for such sharing.

10. Regular updates and reviews

• Policy reviews: Regularly review and update consent management policies to keep up with technological advancements and regulatory changes.
• Feedback processes: Implement processes for users to provide feedback on consent management practices and make improvements based on this feedback.

Ready to find out how ResourceSpace can help your organisation manage consent management and overcome those challenges? Click below to book your free Digital Asset Management demo and see our privacy functionality in action.