Facial recognition has been in the headlines over the last year, both in usage by police and more widely, such as shops identifying known shoplifters and by employers monitoring employees. Most recently its been in the news because the ICO has required Serco Leisure to stop its use of facial and fingerprint recognition for monitoring its employees’ attendance.
It is therefore timely that the ICO released the final version of its guidance on biometric recognition on 23 February 2024. This also ties into the ICO’s focus on genomics and neurotechnologies, being two of the priority technologies set out in the ICO’s 2nd Tech Horizons report which was also released last month.
Biometric data
Whether information is biometric data relates to the qualities of the information, so whether that information relates to someone's physical, physiological or behavioural characteristics, has been processed using specific technologies and can uniquely identify the person it relates to.
Biometric recognition
Intended usage is also important as if the biometric data is to be used for unique identification, then it will be special category biometric data. Unique identification refers to someone being singled out with accuracy based solely on the biometric data. The ICO considers that the industry term, ‘biometric recognition’, aligns closely with the definition of special category biometric data in the UK GDPR and so uses this term throughout the guidance.
Data privacy compliance
The guidance takes each of the key requirements of the UK GDPR in turn, considering the specifics of how it applies to biometric recognition. It reminds us that biometric recognition systems will require a DPIA and helpfully draws out some areas of risk that need to be considered and addressed. This covers risks from data breaches, from biometric false acceptances or rejections and the risk of discrimination.
Wider compliance
Whilst obviously outside the scope of the guidance, it is worth bearing in mind that with many biometric recognition systems AI will be used and so additional considerations need to be considered. Likewise, if the biometric recognition is to be used in an employee setting, employment law considerations will also need to be considered. This will be particularly relevant given the trend to move away from passcards and passwords to using biometrics to access work spaces and devices.
Concluding thoughts
The final guidance has changed significantly from the consultation draft, for the better in our view. It now appears to reflect a greater appreciation from the ICO of what biometric recognition systems look like in real life, and benefits from a significant amount of non-legal technical explanations as well as being more narrowly focused on biometric recognition. By tying the data privacy requirements to this technical detail, this guidance should be more usable both for lawyers and technical teams.
The ICO has promised additional guidance on the use of biometric classification and categorisation systems, i.e. systems that make inferences about people based on observable characteristics, by the end of 2024.