The ICO exists to empower you through information.

At a glance

  • You must apply appropriate security measures when you use biometric data.
  • You should consider how privacy enhancing technologies (PETs) can help you meet your data protection requirements.
  • You must only store information for as long as you need it.
  • Your choice of provider can help you to demonstrate compliance with your data protection obligations.

In detail

What are appropriate security measures for biometric data?

The security principle is about ensuring the personal information you hold isn’t accidentally or deliberately compromised.

You must process biometric data in a way that ensures appropriate security and protection against unauthorised or unlawful processing (amongst other things).

This means you must apply appropriate security measures when you use biometric data. This includes both technical and organisational measures.

You should determine what these measures are by carrying out a risk analysis that considers:

  • the circumstances of your processing and the likely security threats you may face;
  • the damage or distress that may be caused if the biometric data is compromised; and
  • what forms of attack your system might be vulnerable to.

“Appropriate” is a higher bar here than for personal information more generally. This is due to the sensitive nature of biometric data and the risks associated with it falling into the wrong hands.

You must also conduct regular testing and reviews of your security measures to ensure they remain effective. Other examples of organisational security measures include having information security policies in place and ensuring key personnel in your organisation co-ordinate with each other.

You must also appropriately encrypt any biometric data that you use. This is an example of a technical security measure. There are many dimensions to security outside of cybersecurity that you must consider. For example, physical security measures, such as how you control access to your premises.

If you are using a processor, you must choose a processor that offers sufficient guarantees to implement appropriate technical and organisational measures.

If you are a processor, you must assess system vulnerabilities systematically and regularly and act on any findings in a timely way to ensure biometric data remains secure. You should also be able to respond to any identified threats quickly, to minimise the impact of any attacks.

Further reading

Can PETs help us comply with our data protection obligations?

Yes. You should consider using biometric recognition systems that employ PETs, as these can help you demonstrate compliance with the security principle.

But you must still:

  • have appropriate organisational measures in place to keep information secure, such as regular testing; and
  • review your security measures to ensure they remain effective.

PETs can help you meet other data protection obligations too, like the requirements around data protection by design and by default. For example, PETs that limit the amount of personal information you process can help you demonstrate compliance with the data minimisation principle.

Techniques that seek to minimise privacy risks in biometric recognition systems are sometimes called ‘biometric privacy enhancing technologies’, or B-PETs.

Biometric data may be impossible to anonymise completely. By definition, it must be capable of identifying someone. The general approach of all B-PETs is to strike a balance between:

  • minimising the risks associated with unauthorised access to biometric data (ie the risk that an unauthorised party can identify someone); and
  • ensuring the biometric data is as accurate as possible (so an authorised party can reliably identify an individual).

Not all B-PETs can be used in all use cases for biometric recognition. You should carefully consider which PETs are appropriate to use in your context.

Further reading

  • Reference table – Our guidance on privacy-enhancing technologies (PETs) includes a non-exhaustive list of PETs and their potential use-case applications.

Biometric template protection

You should choose a provider that protects biometric templates appropriately.

The ISO/IEC 24745 standard on biometric information protection outlines several important characteristics for biometric templates. These include:

  • Irreversibility: biometric templates are difficult to reverse engineer to gain information about the someone’s appearance.
  • Unlinkability: biometric templates cannot easily be attributed to the person they relate to, meaning they cannot easily be used to link between different databases based on a person’s biometric data, or used in different biometric recognition systems.
  • Revocability and renewability: biometric templates can be revoked or cancelled and replaced with a new template without needing to take a new biometric sample.

These characteristics help to mitigate the risks associated with unauthorised access to biometric data.

If your use case involves storing biometric templates, you could ask your provider whether their system produces templates that have these characteristics.

The first two characteristics mean that if someone gains unauthorised access to a person’s biometric data, it is difficult to fraudulently use that information on its own.

Revocability and renewability mean that a single biometric sample can be used to create multiple different templates. This means that if a single biometric template is compromised, it can be revoked, and a new template created which differs from the compromised version. This approach can also mean that all templates in a database can be renewed using the revised method without requiring everyone to re-enrol.  

However, the effectiveness of this approach relies on the swift detection of any data breach in the first place, underscoring the importance of having appropriate security measures in place.

There are several techniques that can help to achieve these characteristics, some of which can be used in combination with others to provide greater protection. These include:

  • biometric cryptosystems;
  • cancellable biometrics; and
  • homomorphic encryption

All these systems work on the principle that the comparison process in biometric recognition should not use unprotected biometric data directly, as this could result in sensitive personal information being exposed. Instead, comparison happens based on a transformed or encrypted version of the biometric data.

Like any form of encryption, the effectiveness of this approach relies on the management of the keys used.

You should ensure that it would be difficult for an unauthorised party to undo this protection in the event of a data breach through effective key management approaches.

Further reading

Personal information in biometric samples and templates

Biometric recognition systems do not only use biometric data. They can also capture other types of personal information, which could be used to infer several things about someone. These could include characteristics such as age, gender and hair colour.

Some B-PETs look to minimise or protect the amount of personal information in biometric samples and templates. In the case of samples, these techniques look to reduce a person’s ability to recognise someone, for example, by distorting specific features of a person’s face. In the case of templates, these techniques look to reduce the machine-readability of this information.

These approaches also align with the data minimisation and storage limitation principles. They can also help with the purpose limitation principle, as they can reduce the utility of this information for other purposes (such as profiling) by removing personal information about certain characteristics.

On-device verification

On-device verification is a technique that can reduce the amount of biometric data created and shared compared with other systems that verify people’s identities remotely.

By configuring your systems and devices to perform on-device verification, your users only need to create and store a single biometric template. This happens entirely on the device, and no biometric data leaves it – only a token or proof of the verification. This means they can access a range of applications and services easily and securely.

Whether on-device verification is appropriate depends on your circumstances. You should consider the different benefits and risks involved.

For example, it reduces the potential impact of a large data breach when compared to on-server storage of biometric data. This is because the biometric data isn’t all stored in one place, which can reduce the risks of harm that may arise from a data breach.

However, it may also mean that you are less likely to have control over how the biometric data is processed, because you do not have access to the biometric recognition system itself. In turn, this may make it more difficult for you to identify security threats and ensure your processing complies with the security principle.

How can we comply with the data minimisation and storage limitation principles?

You must comply with both the data minimisation and storage limitation principles when processing biometric data. The less information you collect, store and retain, the less information you need to protect.

Data minimisation means you must limit the amount of biometric and other personal information that you process to the minimum that is adequate, relevant and necessary for your purpose.

B-PETs that minimise the amount of personal information you collect help you to comply with the data minimisation principle.

The storage limitation principle means you must only keep biometric (and other personal) information for as long as it is necessary for your purposes.

You must consider storage limitation throughout the lifecycle of personal information as it passes through a biometric recognition system. You must have processes in place to regularly review your database of biometric references to ensure you delete any data that you no longer need.

You must have clear retention periods which means you only keep this information in an identifiable form for as long as is necessary. This demonstrates compliance with the storage limitation principle and will have benefits to your organisation.

An example of a way to comply with the storage minimisation principle is to use biometric recognition systems that transiently process biometric probes and immediately delete them as soon as any comparison fails to meet the acceptance threshold.

Should we retain biometric samples?

Renewability of biometric templates relies on retaining the original biometric sample. This allows you to create new templates without creating a new sample.

To comply with the data minimisation and storage limitation principles, you must consider whether you need to keep the original biometric sample. If you do, you should ensure that you appropriately restrict access to the retained sample and template and deploy further measures like PETs.