GDPR and Biometric Data: A Guide for UK Employers

GDPR for biometric data is especially important for UK employers using access control or attendance systems.

In the UK, data protection is governed by two pieces of legislation: the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (UK GDPR), together known as the data protection legislation. They aim to cover what constitutes data, under what circumstances it can be collected, how long it can be kept, and what can be done with it.

Biometric data — scans of fingerprints, faces, irises etc — is included in this governance, and is classified as a 'special category' of personal data, which means there are strict requirements called 'data protection principles' for its collection and handling.

In this article:

Who does GDPR apply to? | What is personal data? | What is biometric data? | The regulations for biometric data | Guidance for using biometric data | Tensor's biometric products and GDPR

Who does GDPR apply to?

The data protection legislation applies to anyone who collects and processes personal data, including organisations both based in the UK and that provide goods or services to customers in the UK.

There are some exceptions:

• • Data relating to dead people
  • Using data for domestic or household purposes
  • National security and some law enforcement purposes
  • Company information (but only the company itself; GDPR still applies to individual people within that company, owners, partners, directors and sole traders etc)

What is personal data?

Personal data is any information that can be used to identify a person, either directly (like a name) or indirectly (such as through a combination of collected data). It must also relate to them; an identifiable person can be referenced in data but it does not relate to them if it is not personal data about that individual.

Most organisations use personal data in their daily operations. Some of the examples used in the UK GDPR as personal data include:

• Name
• Identification numbers
• Location data
• Online identifier (such as IP addresses and cookies)
• Factors relating to physical, physiological, genetic, mental, economic, cultural or social identity

There are further legal protections for 'special categories' of personal data including:

• Race
• Ethnic background
• Political opinions
• Religious beliefs
• Trade union membership
• Genetics
• Biometrics (for identification)
• Health
• Sex life or orientation

What is biometric data?

The UK GDPR defines biometric data as:

"Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person."

Biometric identification techniques include:

• Facial recognition
• Fingerprint verification
• Iris scanning
• Retinal analysis
• Voice recognition
• Keystroke analysis
• Handwriting analysis
• Gait analysis

All biometric data is personal data; it falls under the 'special category' if it is used to "learn something about an individual, authenticate their identity, control their access, make a decision about them, or treat them differently in any way."

As an example, a digital photograph is personal data, but only biometric data if it is used to create a digital template or profile of an individual which is used for image matching and identification.

The regulations for biometric data

Biometrics is one of the 'special categories' of personal data and as such is governed by strict GDPR regulations — in fact, the law actually prohibits its collection and processing, with ten exceptions.

This is because use of this data "could create significant risks to the individual's fundamental rights and freedoms," and that collecting and using it is "more likely to interfere with these fundamental rights or open someone up to discrimination."

The ten exemptions are:

1. Explicit consent is given
2. Vital interests
3. Not-for-profit bodies
4. Made public by the data subject
5. Legal claims or judicial acts

The following are only applicable if they have a legal basis or authorisation:

1. Employment, social security and social protection
2. Reasons of substantial public interest
3. Health or social care
4. Public health
5. Archiving, research and statistics

Most of the conditions are about why you need the data, and require organisations to meet stringent criteria in order to collect and process biometric data. The gaining of explicit consent is particularly important, but there may be instances where consent cannot be gained. In these cases the other conditions should be considered, depending on what data you are collecting and for what purpose.

The use of biometric data must be for a specific purpose (not just 'it might be useful'), and have a reasonable cause for not doing so by other means with non-special category data.

The Information Commissioner's Office (ICO) makes it clear on when you are not allowed to collect biometric data:

"It is not enough to argue that processing is necessary because it is part of your particular business model, processes or procedures, or because it is standard practice…

"If your purpose is not covered by any of the conditions, and you cannot obtain valid explicit consent, you cannot process the special category data. It doesn't matter how good your reason for processing might be. The ICO cannot authorise the use of special category data in the absence of a condition."

Guidance for using biometric data

Considerations for handling biometric data should include:

• Adhering to the whole of the data protection regulations, not just the part applicable specifically to biometric or special category data.
• Completion of a data protection impact assessment (DPIA), especially at large scale or "to determine access to a product, service, opportunity or benefit."
• Justifying in your privacy policy why you need to collect biometric data and for what purpose.
• Only collecting, processing and retaining the minimum amount of biometric data you need.
• Ensuring appropriate security measures for handling the biometric data, and whether you need to upgrade your systems to be able to collect it.
• Keeping accurate records, including documenting the categories of data. This must include an appropriate policy document which outlines your compliance measures and retention policies for special category data, including your condition for processing the data, how you satisfy a lawful basis for that processing, and how you have followed your retention and deletion policies — and if not, why not.
• Appointing a Data Protection Officer if your main business activities require large-scale processing of biometric data.
• Designating an EU representative if you offer services to, or monitor, individuals in EU member states and process biometric data on a large scale. You may also need to seek your own legal advice on the law in other relevant member states.

Tensor's biometric products and GDPR

As part of Tensor's integrated range of Time and Attendance, Access Control, Visitor Monitoring and CCTV systems, we offer fingerprint and facial recognition terminals and related software.

To ensure the safety and security of the biometric data our systems collect and process, Tensor designs and manufactures our products and services to the highest standards. Among Tensor's many accreditations demonstrating our commitment to quality and security, we have attained ISO 27001, the leading international standard for Information Security Management Systems, and Cyber Essentials, a UK Government-backed scheme that aims to ensure that security controls are in place and working effectively.

However, the security of your system is only one part of the requirements for collecting and processing biometric and other personal data. Ultimately, the responsibility for personal data collected by you for your business purposes lies with you, so make sure you comply with all the necessary conditions for your business needs.

Extensive details about the collecting and processing of biometric and other special category data can be found on the ICO website.

To discuss setting up a biometric system as part of your Access Control, CCTV or Time and Attendance systems, get in touch with us today.

Quotes in this post are excerpted from the Information Commissioners Office Guidance and Resources for GDPR.

Please note that the contents of this post are intended as a guide only and do not constitute legal advice and should not be relied upon in making, or refraining from making, any decision. The data protection legislation can be read in full at:

United Kingdom General Data Protection Regulation: https://www.legislation.gov.uk/eur/2016/679/contents

Data Protection Act 2018: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted