insights and news

Regulations of Biometric Data for Use in Security

30 September 2020

With the increasing popularity of biometric technology in security, companies are moving towards the use of it rather than the more traditional forms. It offers businesses flexibility and enables them to streamline their authentication processes. Biometric security provides a more robust and advanced level of security over traditional forms.


It’s important to consider the regulations around the use of such technology and how the data is processed and stored in terms of data privacy laws. With over 120 of the world countries having some sort of data privacy laws but not many speak specifically about biometrics. With some countries, such as Germany, having much stricter privacy laws than others.


Are there UK Biometric Laws?

There is no single law that specifically governs the collections and storage of Biometric data in the UK, there are a number of laws that legislate on data privacy and include Biometric data.

The Information Commissioners Office (ICO) is a government body that is responsible for regulating data privacy issues. The ICO sets out a code of practice but is not a legal act itself. The practical advice that is offered will help organisations comply with the legal framework.


In the UK, the  the Protection of Freedom Act 2012 is one that regulates the use of biometrics in two specific instances. It stipulates that Police are unable to retain DNA and fingerprint data, collect from people not convicted of a crime. It also states that schools using Biometrics can only enrol students with consent of both arent and Child, and it includes any type of biometric data.


Classification of Biometric Data

Biometric data that is used to identify an individual it is designated as ‘sensitive data’ under data privacy laws and so must be treated with particular care and under stricter regulations. The ICO provides guidance on, what it calls, “special data category”. There are several forms of personal data included under this category but the relevant aspect is that it includes Biometric data where it’s used for identification purposes. Under GDPR biometric data is classified as personal data  and its processing requires explicit consent as well as lawful basis. There is an obligation for organisations to consider whether in fact, they need the data and how it will be kept securely.


What are the considerations?

Organisations crucially need to have lawful basis to process personal data but they also need to be certain weather they need it. Points to consider;

  • Why is the data being collected?
  • What will be done with it?
  • Where will it be stored?
  • Who will have access to it?
  • How will it be secured?


Its also important to determine whether the data needed for the identity verification is more sensitive that the information it gives users access to. If this is the case a less rigorous authentication process would be more suited. To carry out a data protection impact assessment (DPIA) will set out the details and considerations and so allowing for an informed decision weather or not the implementation of Biometric system is the way forward.


With the biometric technologies booming in the current pandemic the use of non contact authentication is sure to be further adopted by companies worldwide, to overcome health risk concerns. Using biometric authentication will also allow for more remote working in some sectors where security is of the most paramount importance.