Written by: Haim Ravia and Dotan Hammer
The UK’s Information Commissioner’s Office (ICO) has issued new guidance on biometric information aimed at organizations using or planning to use biometric recognition systems, as well as system providers, including vendors and developers. The guidance explores the definition of biometric data under the UK General Data Protection Regulation (UK GDPR), its use in biometric recognition systems, the handling of biometric data as a special category of personal data, and key data protection principles for compliance.
Key guidelines in the document include the need to adopt a data protection by design approach, conduct a Data Protection Impact Assessment (DPIA) to assess the impact of biometric systems and maintain transparency toward data subjects.
The Israeli Privacy Protection Authority (PPA) also released updated guidance on collecting and using biometric information for employee attendance monitoring. The PPA’s guidelines emphasize that employers should explore less invasive options, like employee cards or consent-based biometric systems. The guidelines further clarify that
- Clear communication about data collection reasons, security, risks, and employee rights is essential.
- Freely given consent for biometric attendance tracking is crucial. Therefore, employees must be given an option between biometric and non-biometric systems, to ensure voluntary consent.
- Biometric data should be used only for its intended purpose.
- Advanced protective measures, such as encryption and data segregation, are vital for safeguarding biometric data.
- Biometric data should be retained only as long as necessary and deleted when no longer needed.
Click here to read the ICO’s Biometric data guidance.
Click here to read the Israeli Privacy Protection Authority’s guidance (In Hebrew).