Biometric Data and Privacy

As the Covid-19 pandemic has swept across the world, organisations have increasingly looked to new, contactless technology. Biometric data is a powerful tool for identification which enables much of our modern contactless technology. This technology is underpinning the careful balancing act that is sustainably managing the ongoing health risks posed by COVID-19, and the reopening of economies. However, the question is how to manage this increased use of biometric data with compliance to privacy laws when contracting third party providers, particularly cloud data providers.

What is biometric data?

The most obvious thing that springs to mind when someone mentions biometric data is facial recognition, finger print scanners, or even retina scanners if you are a Mission Impossible fan from back in the days before Tom Cruise was known for jumping on couches.

According to the Biometrics Institute, biometric recognition is the “automated recognition of individuals based on their biological and behavioral characteristics” and a biometric characteristic or “biometric” is the “biological and behavioral characteristic of an individual from which distinguishing, repeatable biometric features can be extracted for the purpose of biometric recognition[1]

In short, biometric data is you and your intrinsic properties. It is inherently identifiable and unable to be anonymized, making it possible for artificial intelligence (AI) to recognize you from things that you never even knew were unique. In addition to facial recognition and finger prints, it includes:

  • the way you walk;
  • the way you type;
  • the shape of your ear;
  • vein recognition;
  • your DNA; and
  • the way that you smell.

It is worth keeping in mind that that it is not possible to safely and securely de-identify biometric data. With the available computing power, AI and complex algorithms, merely stripping personal information from the data will not be sufficient to de-identify any biometric data. Often, the use of big data for data analytics is on the basis that the data has been de-identified. Organisations should not rely on this method for biometric data.

Why is biometric data important to protect?

Biometric data is sensitive information. It’s sensitive, in part, because it is our inherently identifiable information, and because it largely requires us to present ourselves. It is important to understand within contractual relationships who is responsible for what elements of the collection, use, storage, disclosure and destruction of biometric data in compliance with the applicable and relevant privacy standards and laws. Finding out the allocation of responsibility after the data has been hacked, is not the recommended course of action!

When dealing with biometric data, greater security standards must be implemented. Unlike passwords and email addresses, once biometric data is disclosed there is no going back. You only have a limited number of features (ten fingers, one face, two eyes!) none on which can be changed as easily as a password. Any enhanced security standards must flow through to your contracts with third party suppliers.  

Cloud hosting & Privacy & Biometric Data – What should the contract say?

Cloud hosting provides greater processing power and the storage capacity necessary when using biometric data. So, what do you need to think about for those all-important information security and privacy clauses? 

At the outset, the contract must be certain on who is responsible for the collection, use, storage and disclosure of biometric data. Along with:

  • Is the biometric data stored in Australia? How, when and where can the cloud provider transfer the biometric data? Offshore disclosure is fraught with danger – it requires actual consent from the owner of the biometric data, and consideration must be given to the applicable privacy and data protection laws.
  • Confirmation the party complies with all applicable privacy and data protection laws. Associated indemnities should be sought for any loss or damage arising for breach including for any penalties imposed by any Information Commissioner.
  • The information security standards to be applied e.g. ISO27001, ACSC’s Essential Eight, Information Technology Library (ITIL). Be aware of what these standards require, not all standards are created equal. Comply does not equal certify. Know what you are asking for.    
  • The controls and procedures around access to the biometric data, including circumstances in which the cloud provider may need to use the biometric data.
  • What happens in the event of a breach, whether that be an innocent disclosure, or the cloud provider being hacked.

Any time you are dealing with data, be it personal information, biometric or not,  you should know and understand the type and nature of the data being collected, what laws apply to such data, and ensure that your contracts with any third parties adequately represent and address the risk and liability of such.

Managing the contracts that deal with technology be challenging and requires knowledge of both the law and technology. Should you have any particular concerns about your technology contracts, please contact us to see how we can help you navigate this complex world.

______

[1] Biometrics Institute “What is Biometrics?” https://www.biometricsinstitute.org/what-is-biometrics/

BA(Eng&Hist) LLB(Hons) GradDipLegPrac GradDipAppFin&Inv MCyberSecOps

Melissa Wingard is a senior commercial technology lawyer, with over 15 years’ experience, assisting software, cybersecurity, and technology companies, across the Asia Pacific region, grow their business and meet strategic aims, whilst managing risk and regulatory compliance.