At a glance
- Biometric data is a form of personal information. This means that you must carefully consider people’s rights.
- Your choice of lawful basis will determine whether some rights apply in your circumstances.
- You must understand how people’s rights apply to your processing of biometric data and have processes in place to recognise and respond to requests.
- There are strict limits to using biometric data to make solely automated decisions about people.
- What is the right of access?
- What is the right to rectification?
- What is the right to erasure?
- What is the right to data portability?
- What is the right to object?
- Can we use a biometric recognition system to make automated decisions about someone?
This section provides further context to help you decide what rights may be in scope, and what relevant factors you should consider. This section does not describe the right to be informed in further detail, as this is addressed in How do we ensure our processing of biometric data is transparent?.
The right of access is a cornerstone right of data protection as it allows people to see what information you collect and share about them.
When you respond to a subject access request, you must confirm to the person whether you are processing their personal information and why (unless an exemption applies).
You must also provide them with other information about the processing. For example:
- your purpose for processing;
- the categories of personal information you are processing; and
- the recipients or categories of recipients you intend to disclose, or have already disclosed, the personal information to.
If your processing involves any automated decision-making, then you must make this clear and provide information about the logic involved and the envisaged consequences for people of the decision.
The right of access also entitles the requester to a copy of their personal information. When you use biometric recognition systems, this includes personal information, such as a biometric sample, as well as any biometric data, such as a biometric template.
You should be clear about:
- what is in scope of any subject access request; and
- whether any copy you provide includes the personal information of people other than the requester.
For example, an audio recording may include personal information of several people. In contrast, a biometric sample used to create a template just includes the voice of the person being enrolled onto the system.
At the same time, there may be some practical issues in providing someone with a copy of their biometric data.
This is because biometric data is likely to consist of complex mathematical outputs in a specific (and often proprietary) machine-readable format. Biometric data in this form is not ‘readable’ by people, and by design may not even be readable by other biometric recognition systems.
The format of biometric data may also mean it is not possible to provide the information in other forms (ie hard copy, or even a commonly used electronic form).
Responding to subject access requests does not require you to translate or decipher information in its entirety. However, you must give enough information to aid the requester’s understanding (ie if records include specific technical language or acronyms).
Therefore, where there are practical considerations which prevent you providing a copy of someone’s biometric data, you should provide additional explanations to help them understand:
- your justification for being unable to provide a copy of personal information in scope, and a summary of the specific practical issues;
- what the information consists of; and
- how you hold it.
If you are using a biometric recognition system to identify persons of interest (ie through comparison against a watchlist), then you must be transparent about this in your response, unless you can justify using one of the exemptions from the right of access.
The right to rectification provides the ability for anyone to rectify or complete any incorrect or incomplete personal information about them.
Rectification requests may result from a subject access request.
If you receive a rectification request, you must satisfy yourself about whether the information you hold is accurate and consider what steps you have taken to assure yourself of this.
For biometric recognition systems, you should remember that a match suggested by a system is not subject to a rectification request. This is because a suggested match is a statistically-informed estimate and not accurate as to a matter of fact.
However, a mislabelled record or a further decision or opinion you take based on a suggested match might be subject to this right.
A biometric reference may also be subject to this right if it no longer accurately represents a person’s biometric characteristics.
If you are using watchlists, then the right to rectification applies if the information you hold is inaccurate or incomplete. You must also inform any recipients of the watchlist about any rectifications you’ve made, unless this is impossible or involves disproportionate effort.
You should also say who those recipients of the watchlist are, if you’re asked.
You may receive requests to erase the biometric data you hold. The right to erasure is not absolute, so you must understand how the right applies in your circumstances.
If you are relying on consent to process biometric data, then people can withdraw consent at any time. If someone withdraws consent, then they can also make an erasure request. You must comply with this request without delay unless you have another purpose under another lawful basis to continue to hold the biometric data.
If you intend to retain biometric data for another purpose, then you must make this clear at the time you originally seek consent and include details of this other purpose in your transparency information.
If you are not relying on consent, then there are other reasons that people can make an erasure request. In summary, these will depend on your circumstances for processing biometric data, and whether your continued use of that information can be considered necessary.
One of these grounds depends on exercising another qualified right, the right to object, which is discussed later in this section.
If you’ve received an erasure request and no exemption applies, then you must take steps to delete the biometric data you hold – including in any backup systems.
The right to data portability applies to any personal information someone provides to you where:
- your lawful basis for processing is either consent or contract; and
- you are carrying out the processing by automated means.
People have the right to receive this personal information. They can also ask you to transmit it to another organisation, and you must do this if it is technically feasible.
The right doesn’t apply to personal information that you create based on what someone’s provided to you.
This means the right doesn’t apply to biometric templates. This is because a template is something you’ve derived from a person’s characteristics. It’s still personal information, and therefore other rights apply. For example, the right of access.
You must tell people what rights they have when you collect their personal information. These rights differ depending on your lawful basis for processing, so you must make sure that what you tell people reflects this.
If someone makes a request for their biometric data under the right to data portability, you must explain why you’re not going to act in response to the request (eg because the right doesn’t apply).
You must also clarify with the requester that biometric data falls under the right of access. See What is the right of access? for further information.
Provided you are not using personal information for direct marketing, the right to object only applies if you are:
- processing biometric data under the public task or legitimate interest lawful bases; and
- not able to override the request by demonstrating a compelling reason that requires you to continue processing the biometric data.
If someone exercises their right to object and you don’t have a strong reason to refuse their request, then you must also consider whether you are required to erase their personal information.
People have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Many uses of biometric recognition systems involve making solely automated-decisions about people. Depending on the specifics of your deployment, these decisions may have legal or similarly significant effects on those people (eg denial of a service).
Data protection law restricts the circumstances in which you can make solely automated-decisions with these kinds of effects. These include specifying the:
- conditions you can rely on; and
- safeguards you must have in place (eg the ability for a human review of any decision where required).
To determine whether your biometric recognition system makes these kinds of decisions, you should ask the following questions:
- What decisions do you intend the system to make?
- Who (or what) determines these decisions?
- Is the decision solely-automated, or is there any meaningful human involvement in making the decision?
- What are the potential impacts of the decisions on someone? Do the decisions affect people’s legal rights or have a similarly significant effect on their circumstances or choices?
If you are using biometric recognition systems to make these decisions about people, you are making these decisions using special category information. This means that you must not carry out this processing unless:
- you have the person’s explicit consent; or
- the processing is necessary for reasons of substantial public interest.