We are currently consulting on this draft guidance.
At a glance
- Biometric recognition occurs when you use biometric data to uniquely identify someone.
- It is a term used in industry standards and isn’t defined in data protection law.
- Biometric recognition uses personal data, biometric data and special category biometric data.
- What is “biometric recognition”?
- What can we use biometric recognition for?
- Do biometric recognition systems use personal data?
- Do biometric recognition systems use biometric data?
- Do biometric recognition systems use special category biometric data?
We use the term “biometric recognition” to refer to biometric data used for identification and verification.
- terms and definitions in industry standards; and
- the outcomes of our biometrics reports, such as the need to ensure consistency in terminology.
Identification refers to a one-to-many (1:N) matching process. Biometric data of one person is compared with that of many other people to find a match. It asks the question “Who is this person?”.
Verification refers to a one-to-one (1:1) matching process. A person provides biometric data that is compared against their stored biometric record. It asks the question “Is this person who they claim to be?”.
Both of these processes require biometric data to uniquely identify someone.
The term “authentication” has historically been used about both identification and verification, sometimes interchangeably. Current industry standards move away from using this term and our guidance reflects this.
ISO/IEC 2382-37:2022 establishes a systematic description and vocabulary for the field of biometric technologies.
You can use biometric recognition systems to identify someone from others. This requires a biometric template from the person you are looking for in order to match against it. While facial recognition technology is probably the best-known use of biometric recognition to identify someone, there are other biometric approaches that are capable of uniquely identifying someone.
You can also use biometric recognition systems for access control verification (eg to restrict access to virtual or physical spaces to authorised people only). This is because they enable automated matching of biometric data at speed.
In these scenarios, biometric recognition systems replace a password (something you know) or a swipe card (something you have) with biometric data (something you are).
A rental company requires customers to prove their identity prior to using their services. To keep costs low, and make the process convenient for customers, the company uses a remote authentication process.
Customers are required to upload a scan of an official photo identity document, such as a passport, and another photo of themselves. The company then compares the two images to confirm that they are of the same person.
This process involves processing special category biometric data in order to uniquely identify someone. In this case, matching two biometric templates generated from both photos to verify the identity of the customer.
The scalability of biometric recognition systems may be attractive in comparison to traditional access control systems that incur fixed costs (eg the need to issue new or replacement identity cards).
They may also be more secure than swipe cards or PINs (eg people can’t forget or lose their biometric data but can share or misuse cards or PINs).
An employer issues a work laptop to their employee, who decides to use facial recognition as an alternative to a password to access their work account. This involves creating a biometric template that’s stored on the device for future comparison.
Every time the employee wants to access the device, the biometric recognition system generates biometric data from an image of their face and compares this with the stored template.
This means the employee’s biometric data is processed for the purpose of uniquely identifying them - even if the match process is unsuccessful and the employee has to enter a password or PIN instead.
Yes. If you use a biometric recognition system, then you are processing personal data.
The purpose of any biometric recognition system is to identify someone. This is either because they are the person they claim to be (to verify them and their access) or to identify them from others.
Both of these processes require information about an identified or identifiable person.
Yes. By default, if you use a biometric recognition system, you are also using biometric data.
This is because the personal data the system creates meets all three aspects of the definition of biometric data in data protection law, which are listed below.
1. The information is about someone’s physical, physiological or behavioural characteristics
“Physical and physiological” relate to someone’s biological characteristics.
These are unique to every person, which is why you can use them effectively for identification and verification. These characteristics can include a person’s facial features, fingerprints, iris, voice and even their ear shape.
Examples of physical or physiological biometric recognition techniques include:
- facial recognition;
- fingerprint verification;
- iris scanning; and
- voice recognition.
“Behavioural” is about characteristics that relate to things like movements, gestures or motor skills. Behavioural characteristics can include a person’s handwriting or method of typing, their gait when walking or running or their eye movements.
Examples of behavioural biometric recognition techniques include:
- keystroke analysis;
- handwritten signature analysis;
- gait analysis; and
- gaze analysis (eye tracking).
2. The information results from specific technical processing
The term “specific technical processing” describes a discrete processing operation, or set of processing operations, which generate biometric data.
For example, while someone’s physical characteristics may be shown in a digital photograph, this isn’t enough to make that photograph biometric data. It is only when you take further technical steps that the result may become biometric data.
Data protection law recognises this where it states that photographs are covered by the definition of biometric data only when processed through a specific technical means that allow the unique identification of someone.
Specific technical processing can refer to some of the key stages involved in biometric recognition systems. For example:
- the "enrolment" phase, where biometric characteristics are captured, creating a biometric sample; and
- the "extraction" phase, where the information in the sample is extracted and transformed by an algorithm, creating a biometric template.
3. The information allows or confirms someone’s unique identification
This is about the properties of the information itself, not what you intend to use it for.
The wording “allow or confirm” means that where it is possible to identify someone, even if this is not your intention, this part of the definition will be met.
An employer may be able to identify a staff member from an audio recording, even if they didn’t state their name. The recording therefore includes personal data about that staff member.
However, this doesn't make the audio recording biometric data, as it doesn't result from specific technical processing of the staff member's characteristics (eg their voice) and by itself doesn't allow or confirm the unique identification of that person.
The same organisation then buys a voice recognition solution to transcribe audio recordings and attribute what was said to particular people who attend the meetings.
This involves enrolling all meeting attendees onto the system to create a biometric template of their speech patterns and comparing the recordings against these stored templates.
This is biometric data. It results from specific technical processing of someone's characteristics and allows or confirms that person's unique identification.
As the employer processes the biometric data for the purpose of uniquely identifying the attendees, it is also special category biometric data.
Do biometric recognition systems use special category biometric data?
Yes. If you use a biometric recognition system, you are using special category biometric data. This is because the purpose of biometric recognition system is to uniquely identify someone using biometric data.
The UK GDPR says that biometric data is special category data if is processed:
“for the purpose of uniquely identifying a natural person.”
This is slightly different from the definition of biometric data. Instead, it is specifically about the purpose for which you intend to use that data.
This means that all biometric data is not automatically special category data. It only becomes special category data if you use it for the purpose of uniquely identifying someone. So, it’s your purpose for using the biometric data that matters.
This makes special category biometric data different to the other special categories of data. For example, political opinions or racial origin are about the nature of the information alone, rather than any additional consideration of the purposes you are processing the data for.
In order to uniquely identify someone using biometric data, your purpose involves:
- collecting personal data relating to someone’s characteristics and processing it in a certain way (eg to create a biometric template); and
- comparing that data with other biometric data that you hold in order to identify a match.
If you intend to take these steps, then you are processing biometric data for the purpose of unique identification.
This means that you will be processing special category biometric data from the moment you collect the data as described in the first step, not from the point that you attempt any comparison for identification purposes.
This purpose test is met whenever you use a biometric recognition system, because your purpose for doing so will be either to establish:
- who someone is (identification); or
- if someone is who they claim to be (verification).
Both of these involve comparing a biometric template against another (reference) template for the purpose of finding a match.
However, it is also important to remember that you are still processing special category biometric data, even if:
- you do not find a match. You are still creating and comparing biometric templates for the purpose of unique identification; or
- your overall purpose does not require the unique identification of people.
If at any stage your use of biometric data requires you to uniquely identify someone, then you are processing special category data.
An organisation uses a biometric access control system to ensure that only approved staff can access a sensitive area.
It enrols all authorised staff onto the system. This involves taking a digital image of their fingerprint, which in turn is processed as a biometric template.
Every time an authorised member of staff places their thumb on the door sensor, their biometric data is processed and compared to the biometric data taken at the enrolment stage to confirm their identity.
Even if the system does not find a match, the purpose is to uniquely identify someone from their biometric data.