The General Data Protection Regulation, commonly referred to as GDPR, came into effect in the European Union in May 2018. Although many organizations have conducted reviews and audits of the data they store across the many systems that they use, when it comes to implementing a biometric system, compliance with GDPR requires additional considerations.
Whether you are considering installing biometrics for access control, time and attendance, or any other application, it is important to understand how the data relating to users of the system is created, stored and where necessary, deleted.
What is GDPR?
The purpose of GDPR can be summarised as follows: -
- to standardize regulations relating to data protection across the member states of the European Union
- to increase privacy and extend data rights for EU residents
- to help EU residents understand personal data use to address the export of personal data outside of the EU
- to give regulatory authorities greater powers to take action against organizations that breach the new data protection regulations
- to simplify the regulatory environment for international business by unifying data protection regulations within the European Union
- to ensure that every new business process that uses personal data abides by the GDPR data protection regulations and Privacy by Design rule
In short, organizations are required to know what personal data they hold on any EU resident and what the purpose is of holding that data. First and foremost they have to ensure the data was created with the owner’s consent and must be able to prove this consent at any time. Where the data is stored and how it is protected and the retention period and method of deletion are also relevant aspects.
Biometric Data Storage
GDPR essentially regulates how organizations manage two types of data; personal data and sensitive data. Personal data is any information relating to an identified or identifiable person. Sensitive data is a ‘special category of data, capable of identifying an individual. Understandably, biometric data is categorized as ‘sensitive data and thus a ‘special category.
Processing Special Category Data
Article 9 of GDPR states that the collection of personal data such as biometric data is prohibited. The same article lists the conditions under which organizations are still allowed to collect such sensitive data. They must meet at least one of the following criteria:
(a) The data subject provides explicit consent
(b) Employment, social security, and social protection (if authorized by law)
(c) Act in the vital interests of the data owner
(d) Not-for-profit bodies keeping the data internally
(e) Data was made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
Archiving, research, and statistics (with a basis in law)
Explicit consent of users is the most important element of implementing a biometric system and is often a topic for debate. It is important to know that the data subject (or the employee) must give explicit consent, that the consent is continuous, and that the consent can be withdrawn at any time. Employers must explain the reasons for processing biometric data, commonly known as ‘The Purpose’. Employees should be educated as to how the biometric data is being stored, and there should be an acceptable alternative means of identification if an individual refuses or withdraws his or her consent.
It is important to understand how biometric data is created, stored, and processed. This will help organizations to gain the trust of employees using a biometric system. A common misconception is that images from fingerprints, faces, or irises, are stored in a biometric system. Within the TBS system, images are never stored. Images are taken and identifiable features (known as data points) are collected from the image. A sophisticated algorithm is used to convert the data points into a biometric template in the form of a digital code. As an additional security measure, the biometric template is then further encrypted before it is stored or sent to the biometric data server. The result is a system that gives the highest level of protection to biometric data, thus ensuring GDPR compliance.
Implementing a Biometric Solution
When processing any personal data, there are several actions that should be considered to ensure your organization is compliant: -
- Data Impact Assessment – This is a process to help you identify and minimize the data protection risks of a project.
- Legitimate Interest Assessment – This is a high-level risk assessment on the specific context and circumstances of processing data, and it will help you to ensure your processing is lawful.
- Privacy Statement – This is an internal document, sometimes referred to as a fair processing notice, that you should produce to document the purpose for processing the biometric data; the method of collecting and storing biometric data; the scope of which the biometric data will be used or shared; the security methods used to protect the biometric data; the length of time the data will be kept; and the process for deletion.
Of the clauses listed in article 9 of GDPR, the two main conditions that are usually relied upon are ‘Explicit Consent’ and ‘Vital Interest’. Access control and time and attendance still lead the way for biometric-based applications. Access control, in most situations, lends itself to both explicit consent and vital interests.
When implementing biometrics for access control, organizations reduce the risk of unauthorized people being able to access areas of a building or facility. If used to process employees, visitors, or contractors on- and off-site, biometric access control can be integrated with mustering or roll-call solutions which will allow you to know who to account for in an emergency and protect the vital interests of those enrolled in the system.
We are sometimes asked about the legality of using biometrics for time and attendance. Vital interest is less likely to be applied to time and attendance, although as with access control, when you are clocking people in and out, you are also effectively saying that they are on- or off-site, and therefore this information could also be used for roll call in the event of an emergency. In any event, explicit consent is usually relied upon, and consent is more freely given when the user knows not just why, but also how their biometric is being used and how it is being protected. If a user, for whatever reason, does not consent, there are other methods of identification that can still be used on all TBS’ biometric terminals. The terminals are equipped with a touchscreen that allows users to identify themselves with a unique PIN, and the PIN pad can even be scrambled each time to increase security. The terminals also come with optional RFID readers for reading cards or fobs. The system can easily be configured so that both PIN and RFID are required for identification.
When implemented effectively, biometrics can help any organization of any size to improve security, reduce risk and increase efficiency. When you have identity-dependent processes within your organization, biometrics can add a layer of security that can enhance your data protection, as the method of identification cannot be faked, forged, or shared between people. TBS has deployed thousands of systems around the world, some of which are installed in some of the highest security and data-sensitive organizations and our experience can help you get the most from a biometric system and ensure that your legal obligations are met.