Know the legalities of biometrics

Biometric technologies are set to play a big role in commercial security, but firms must ensure that they do not fall foul of data protection or human rights laws

Biometric technologies, which use a digitised form of unique physical features such as fingerprints or iris patterns, are becoming more widely available and could make keys, photocards and Pins a thing of the past.

At present, much of the technology is developmental, but biometric applications are proliferating and some of the more basic systems are already on the market.

The UK is one of 27 countries signed up to the US Visa Waiver Programme, which demands that all passports contain a machine-readable chip with the passport holder's details and a biometric identifier, such as a digital photograph.

Accordingly, from 2007, all new UK passports will incorporate biometric data in an embedded microchip, and by next summer 10 UK airports will be using iris scanning technology, with a planned roll-out for all 141 UK ports and airports.

The private sector too is starting to take advantage of the technology, as the commercial benefits of biometrics become more tangible. The Pictet and Cie Swiss bank in Geneva is already using iris scanning technology to control employee access to its offices. And some European casinos have installed facial recognition technology with the aim of identifying unwanted or banned customers.

The main advantages companies can gain from using biometric systems are:

● They promise a high degree of reliability because it is impossible (short of amputation or mutilation) to lose or forget biometric traits, and very difficult to copy, distribute or misuse them

● They are very simple to use, because individuals do not need to remember passwords or Pins

● System integrity is strong because no two people share all the same biometric traits and it is nigh on impossible to reproduce them, which in turn reduces the potential for fraud and enhances security.

But the use of biometrics carries certain legal implications. Most significantly, biometrics pose new and complex questions about compatibility with individuals' rights to privacy. Companies need to be sure that any biometric system they propose to introduce will not fall foul of data protection or human rights laws.

In simple terms, biometric systems are based either on verification or identification, and they are either voluntary or compulsory. The privacy implications vary considerably in each case.

Verification systems operate by verifying that a person is who he or she claims to be. At its most basic, this means using a fingerprint biometric to verify that a person seeking access to a building or bank account is authorised to do so.

Identification systems go a great deal further, comparing information about one person with information about many (held on a database) for the purpose of identifying who that person is (known as a "one-to-many" match). An example of an identification system is the national DNA database, which is run by the Forensic Science Service to identify offenders and victims using crime scene DNA samples.

When the national DNA database was established in 1995, the taking of samples was controlled closely and quite limited. Now, DNA samples can be taken from anyone arrested and detained by the police in custody, and non-intimate samples (such as a mouth swab) can be taken without consent.

DNA records can be retained even if the arrested person is cleared, and, indeed, even if they are not prosecuted. Importantly (and in some cases controversially), these developments have only been made possible by specific legislative changes.

The use of any biometric system must comply with the European Convention on Human Rights and with the Data Protection Directive. In the UK, these laws take the form of the Human Rights Act and the Data Protection Act.

The Human Rights Act states that we are all entitled to respect for our private life, and interference with this by the government is only permitted in specific circumstances. The courts have made it very clear that "private life" does not only apply to life outside work. It will also apply in the workplace.

The Data Protection Act regulates the way that organisations process information that identifies us. It requires, for example, that the use of such information (including biometric data) must be "fair" and limited to specific purposes, which have been notified to the individual when they handed over their personal data.

In the context of biometric technologies, two overriding principles will apply in every case: proportionality and transparency.

Proportionality requires that interference with someone's private life, or the use of their biometric data, must be justifiable by the benefits of the scheme. This usually means balancing the rights of the individual with the rights of the organisation or the public at large. Transparency means making it clear how and why information will be used, and not going beyond this without prior agreement.

In legal terms, biometric data is no more intrinsically "private" than any other personal data. However, the law requires that the purpose of a biometric scheme must be clear from the outset and that the use of biometric information must be proportionate to the benefits that the scheme is likely to offer.

Companies planning to roll out biometric systems will need to think carefully about how they collect information, how they store it and how and when it can be accessed or matched.

In particular, for example, many individuals would reasonably be concerned if biometric data were to be used by companies for commercial gain. There are also some complex legal issues that will arise if biometric data is shared or transmitted, particularly if it is transferred outside Europe.

In practice, companies will need to establish very clearly whether a biometric scheme is voluntary or compulsory (and what the consequences would be if an employee refused to participate in a voluntary scheme) whether the scheme operates by means of verification or identification and whether the use of biometric information is compatible with the purposes of the scheme.

There is also the issue of function creep - that is, whether different uses of information may emerge in the future which were not contemplated when the scheme was set up.

Companies will need to consider what methods they will have to put in place to ensure the security of any biometric information they hold and the cost of implementing these measures.

Finally, and perhaps most importantly, companies should consider how they will allay users' concerns about the use of their biometric data. No doubt some will be worried that the use of biometric data will somehow infringe their rights to privacy and enable fraudsters to use it to commit crimes or steal their identities. This is perhaps the biggest obstacle to overcome - the biometric hardware put in place will only be successful if users are willing to provide their data.

It is arguable that one of the reasons why the use of biometric technologies has not been as extensive as one might imagine is that the "Big Brother" connotations have had a major impact on public perception.

Biometric technologies are likely to play a big role in the development of commercial security over the coming years, but it is imperative for companies to think through the legal issues first, or risk falling foul of increasingly complex legislation.

Marcus Turle is a partner in the technology law group of City law firm Field Fisher Waterhouse

Brown drums up support for biometrics

UK public favours biometrics increase

David Lacey’s security blog
The latest ideas, best practices, and business issues associated with managing security

Comment on this article: [email protected]


Read more on Privacy and data protection