Canada’s Office of the Privacy Commissioner released guidance documents clarifying how to comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in the management and use of biometric information for businesses and government agencies. While clearly good resources for Canada-based institutions, the plain language, straightforward approach, and examples in the business-related guidance makes it an excellent resource for organizations worldwide.

The preamble material for both documents establishes key terminology necessary for understanding the guidance. For example, it notes the difference between physiological biometrics (such as fingerprints, iris patterns, and DNA) and behavioral biometrics (such as gait, keystroke patterns, and eye movement). It also distinguishes use cases into two categories. Verification is a one-to-one recognition system that compares a single sample to a single template—facial recognition to unlock a personal computer is an example. Identification is a one-to-many recognition system that compares a single sample to a database of templates—facial recognition to identify someone in a crowd is an example.

The guidance also provides a discussion of sensitivity; biometric data is considered sensitive if it meets any of the following criteria.

• It is, or could readily be, combined with other information that would allow it to uniquely identify an individual;
• Its misuse could pose a high risk of harm to individuals; or
• It could reveal other categories of information that are considered sensitive (for example, medical information).

The actual guidance in the document for businesses starts by examining the purpose for the business use of biometric information. “You must always have a clear use for any biometric information you collect. Personal information must not be collected for a speculative or prospective purpose to be determined at a later date,” it says.

The use case must be effective: “The program must be designed to effectively fulfill the purpose for which it is deployed. Consider the scientific and technical validity of the method or process, the accuracy of the technology and error rates, and the risk that the biometric technology could be compromised or circumvented.”

Processes must be minimally intrusive: “In general, biometrics should not be used solely out of convenience for the organization deploying them if there are more privacy protective alternatives available. Consider what steps can be taken to reduce privacy intrusion as much as possible.”

The benefit gained by biometric information use must be proportional to the privacy and intrusiveness costs: “Initiatives that involve the collection, use, and disclosure of biometric information can have significant impacts on privacy. For these impacts to be proportional, the benefits of your biometric program must be commensurately high.”

In each area of guidance, the document provides real examples of how it applies. With regards to testing for intrusiveness and proportionality, the guide pointed to Rogers Communications, the largest wireless provider in Canada, which used a voice identification system to authenticate account holders who phone into support lines. Authorities concluded the use case passed the purpose and proportionality tests. In another instance, a different organization used fingerprints to verify the identity of people taking a standardized test for law school. Authorities found the intrusion to privacy in this case did not fulfill the purpose requirement: the organization did not actually use the fingerprints for the intended purpose of protecting the integrity of the test.

After considering purpose and use, the guidance turns to consent. “A critical element of obtaining consent is ensuring that individuals have proper knowledge of how your organization will manage their personal information,” the guidance says. “For consent to be valid or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner.”

Specificity is an important consideration in consent. Back to the Rogers Communications example: While the purpose and use for the biometric data was acceptable, the data collection method caused consent concerns. “If an organization is collecting voiceprints from callers to its customer support line, a generic statement like ‘this call may be recorded for identification purposes’ would generally not be sufficient to obtain valid consent” because the notice was not a clear, explicit notification. According to the guidance, “you must specify separately and explicitly that biometric information will be collected, used, or disclosed.”

The guidance notes businesses should limit the collection, use, and storage of biometric data to only what is necessary to perform the needed business function. For example, using both fingerprints and another piece of biometric information to recognize an individual would require a demonstrable need for the added information.

The guidance also suggests that organizations should opt for verification systems rather than identification systems whenever possible. Whenever possible, an individual’s personal information should be kept in control of the individual—such as using personal, mobile phone tokens to validate recognition. “You should avoid creating large, centralized databases of biometric information if alternatives are viable. In the event of a breach, centralized databases are vulnerable to a wider scope and magnitude of potential privacy impacts,” the guidance says.

In addition, organizations using biometric information must have adequate safeguards in place “to protect personal information against loss, theft, or any unauthorized access, use, disclosure, copying, or modification.” The guidance says organizations must use “physical, organizational, and technical measures” to safeguard against breaches. “Review and update security measures regularly to ensure that these measures address evolving security threats and vulnerabilities, including risks specific to your choice of biometric technology.”

The capabilities of biometric systems are growing fast, as are the privacy concerns surrounding their use. Municipalities are endeavoring to keep up with the enhanced capabilities and use cases.

The European Union’s General Data Protection Regulations (GDPR) defines biometric data as a special category of personal data, putting it into one of the most restrictive frameworks. Collecting and using biometrics requires explicit consent from the data subject or it must serve a substantial public interest. Rulings in the area have been strict. A school in Sweden obtained parental consent to use facial recognition to take attendance. The use was disallowed because its use was not one of the allowed reasons under GDPR and the consent was deemed forced because of the power dynamics between the school and the parents of students.

China established a facial recognition regulation limiting private use of the technology. Prior to the rules, facial recognition systems were expanding rapidly in the country, with reports of stores requiring facial scans to enter. The regulations do not apply to government uses, and the Center for Security and Emerging Technology reported it included a loophole allowing unrestricted use of facial recognition for research and development or artificial intelligence model training.

In the United States, there is no federal approach to biometric data regulations, leaving the matter to the individual states. Only a few states have existing laws specifically governing biometric data collection and use. The Illinois law is one of the more comprehensive. It requires a written policy and stipulates that private entities must obtain consent for the collection and use of biometric information. It also includes a couple of stipulations of direct importance to security. Private entities must:

“Store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry”

“Store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”

In August 2024, Security Management published several articles on biometric myth-busting.

Various aspects of biometric use routinely pop up in the news. Most recently, in May, Today in Security described a facial recognition deployment used in New Orleans that fell under legal scrutiny because it appeared to violate city ordinances. In April, Today in Security reported on a Europol paper on biometric spoofing.

MOST POPULAR ARTICLES

1. What is Agentic AI?

2. Staffing Continues to Complicate K-12 Entrance Security

3. Risk vs. Reward: What Security Leaders Need to Know When Using Agentic AI