Following its consultation in 2023, the Information Commissioner’s Office (“ICO”) has published guidance on the data protection requirements that apply to biometric recognition systems. This is the first part of the ICO’s guidance on biometric data. The second part, on biometric classification and categorisation, will be the subject of a Call for Evidence in 2024.

A key part of the guidance is a clear and detailed explanation of what constitutes biometric data and biometric special category data. Article 4(14) UK GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person.” Personal data is therefore only biometric data where it: (1) relates to someone’s behaviour, appearance or observable characteristic (e.g. facial images, fingerprints or voice data); (2) it has been extracted or further analysed using technology; and (3) can uniquely recognise the person to whom it relates. Further, the guidance clarifies that biometric data is not necessarily special category data, a type of data the processing of which is subject to stricter legal obligations under UK GDPR given its sensitive nature. Biometric data will only be special category data when used for the “purpose of uniquely identifying a natural person” (Article 9(1) UK GDPR). The guidance confirms that biometric recognition systems (not defined by law), such as facial recognition used to identify someone or to replace the use of a password or swipe card, involve the processing of biometric data and, in particular, special category data. That is because they either identify a person by comparing their biometric data with the biometric data of many others, or they verify the person by comparing their biometric data against a stored biometric record. Such systems meet all three requirements of the definition of biometric data and, because the purpose of such systems is to uniquely identify someone using biometric data, they are using special category data (from the moment of collection). The key point is the purpose for which the data are being used and should be distinguished from other types of special category data (e.g. political opinions) which are about the nature of the information alone, without any consideration for the purposes for which they are used.

The International Standards Organisation (“ISO”) defines “biometric recognition” as the automated recognition of people based on their biological or behavioural characteristics, a definition that aligns closely with the definition of special category biometric data in UK GDPR. Therefore, the guidance states that if you use a biometric recognition system, you are using biometric data to uniquely identify someone. So, “biometric recognition” encompasses all situations in which biometric data is special category biometric data.

The guidance provides a very useful explanation of how biometric identification systems work and what they are used for, before going on to examine in detail how they use personal data, biometric data or special category biometric data. For example, the guidance clarifies that the requirement that the information must result from “specific technical processing” will not be met by, for example, possessing a photo of someone. It is only technical processing when techniques are applied to the photo to extract the facial features to enable the person to be uniquely identified. The various stages of biometric identification can all involve such processing such as in the extraction of information, the transformation of the information into a biometric “feature” and the storage of the feature as a biometric “template”.

The guidance then outlines the obligations relating to biometric identification including data protection by design, Data Protection Impact Assessments (with a detailed discussion of risks to people’s rights and freedoms) and the conditions on which processing of the biometric data may take place. On the latter, the guidance states that, in many cases, explicit consent is likely to be the most appropriate condition (although for employers this can be problematic if a genuine choice is not offered to those who choose not to consent). Finally, the guidance addresses data protection obligations arising from biometric identification in relation to fairness, accuracy, transparency, rights requests and security.

As with other ICO guidance, useful case studies are provided.

For more information, click here.