The ICO exists to empower you through information.

Why have you produced this guidance?

This guidance explains how data protection law applies when you use biometric data in biometric recognition systems. Read it to understand the law and our recommendations for good practice.

Who’s it for?

This guidance is for organisations that use or are considering using biometric recognition systems. It is also for vendors of these systems. It is for both controllers and processors.

What does it cover?

This guidance looks at the definition of biometric data under the UK GDPR. It also focuses on biometric recognition uses and explains how these involve processing special category biometric data.

This guidance covers:

  • what biometric data is;
  • when it is considered special category data;
  • its use in biometric recognition systems; and
  • the data protection requirements you need to comply with.

What doesn’t it cover?

This guidance does not cover requirements of the data protection regimes for law enforcement purposes or the security services. However, some of the principles explained in this guidance are relevant to these regimes too.

This guidance is not intended to be a comprehensive guide to compliance when using biometric data. Where this guidance refers to principles already addressed in our guidance, we provide links to the relevant further reading.