The ICO exists to empower you through information.

How do we process biometric data lawfully?

Share Download options

Pages

Format

At a glance

  • Biometric data is personal information. You must comply with data protection law when you process it.
  • Explicit consent is likely to be the most appropriate condition available to you to process special category biometric data.
  • Other conditions may apply, but these depend on the specifics of your proposal and your justification for using special category biometric data.
  • If you can’t identify a valid condition, you must not use special category biometric data.
  • If you can identify a valid condition, you must still comply with the data protection principles for your processing to be lawful.

In detail

How do we determine our lawful basis and special category condition?

If you are using a biometric recognition system, you must identify a lawful basis and a separate condition for processing special category biometric data.

Lawful bases

There are six lawful bases for processing personal information. These are:

  • consent;
  • contract;
  • legal obligation;
  • vital interests;
  • public task; and
  • legitimate interests.

No one basis is ‘better’ or more important than the others. The most appropriate depends on your purpose and relationship with those whose information you are processing.

You must determine your lawful basis before you begin processing. Take care to get it right first time – you should not swap your lawful basis without good reason.

You must always choose the lawful basis that most closely reflects the true nature of your relationship with people and the purpose of the processing.

Special category conditions

You must not use special category information without a valid condition for processing it.

There are 10 conditions for processing special category data in total in Article 9 of the UK GDPR. Further requirements for meeting certain Article 9 conditions are provided in the DPA 2018 Schedule 1.

The conditions are deliberately stringent due to potential risks to people’s rights associated with processing special category information.

Not all lawful bases have an equivalent condition. There is no requirement for your chosen lawful basis and condition to ‘match’.

All of the conditions require you to have a specific purpose for processing. Many of the Article 9 conditions for processing require you to demonstrate that the processing is necessary to achieve its specific purpose.

You should carefully consider which conditions for processing special category information are valid in your circumstances. This depends on your purpose and, in some cases, who you are.

Depending on the condition you choose, you may also have to justify why consent is not valid or appropriate in your circumstances.

Whatever condition you consider, you must meet all its requirements. If you are unsure, you should seek independent legal advice.

This diagram in our AI guidance can help you to think through what condition might be appropriate for you when processing special category biometric data.

Further reading

Can we use consent and explicit consent?

When using biometric recognition systems, you must identify both a lawful basis and a separate condition for processing special category biometric data.

In many cases, explicit consent is likely to be the most appropriate condition. This is because there is no specific special category condition for identification or verification that can apply to the various circumstances in which you may want to process special category biometric data.

There will be circumstances where consent will not be appropriate, for example when using biometric recognition systems for systematic monitoring of public spaces, or where the requirements of consent can not be met.

However, in these circumstances it may be possible to satisfy a different special category condition. See What other special category conditions might apply? for further information.

When using explicit consent as a special category condition, you may also use consent as your lawful basis for convenience, although there is no requirement to do so.

Consent

You must ensure that the consent is ‘specific and informed’ to be valid. This means that you must give people all the information they need to understand what they are agreeing to. This requires you to clearly set this information apart from other terms and conditions and legal information.

You must ensure that consent is also ‘freely given’. This means that you must give people genuine choice and control about how you use their information. For example:

  • You must give them the opportunity to refuse or easily withdraw their consent at any time without detriment.
  • You must also offer a suitable alternative to people who choose not to consent. Otherwise, people do not have a real choice.
  • Where there is an imbalance of power between you and the person, you should carefully consider whether relying on consent is appropriate.
  • You must offer a suitable alternative, regardless of whether a power imbalance exists, if you are relying on consent.

This is particularly an issue for public authorities and employers. This is because anyone who depends on your services, or fears adverse consequences if they refuse, may feel they have no choice but to agree. This means people may not freely give their consent. This does not mean that public authorities and employers can never rely on consent. They do need to carefully consider the specific scenario to confirm that they can offer a genuine choice without detriment (eg deciding whether to use a PIN or password; or biometric recognition on a work device).

You must also make sure that the consent you receive is specific to your purpose for processing. It may last longer than a single processing operation. There is no set time limit for how long consent is valid for, this depends on the context.

If the processing operation or purposes change, then you must seek fresh consent.

If you are systematically monitoring a public space, it is highly unlikely that consent is appropriate.  For example, you must not assume that someone walking into the field of view of a recognition system has given their consent. This is because consent must be informed, freely given, specific and unambiguous.

Explicit consent

You must make sure that the explicit consent is affirmed in a clear statement. A clear statement is not the same as a clear affirmative action. You can’t infer explicit consent by what someone does – only by what they say (explicit statement).

This agreement can be given in writing or orally and doesn’t require someone to say or write a consent statement in their own words. You could provide a statement (an express statement of consent) that they can clearly indicate their agreement to.

You must make your statement as clear as possible. This reduces any possibility of later complaints that any consent you received was not ‘explicit.’

Example

A gym chain plans to change their swipe card access control system to one that uses facial recognition technology. The gym wants to do this to enhance the customer experience by making it easier and quicker for people to access their facilities.

The new system will use biometric recognition to process their customers’ biometric data for the purpose of uniquely identifying them. The gym must identify a valid condition for processing this special category information.

Given its intended objective, the gym can only rely on explicit consent for the processing, as no other conditions in Article 9 apply.

To ensure the consent it obtains is valid, the gym provides its customers with all the information that it is required to (eg why they are processing their information and their right to withdraw consent at any time). It asks its customers to indicate their agreement by completing a clear and specific written statement of consent about the processing. It also gives customers the option to enter a unique PIN code if they don’t want their biometric data processed.

The gym documents this in its DPIA, describing the non-biometric option as an alternative offered to customers, if they prefer not to have their biometric data used. The DPIA also details their wider compliance with data protection law, and how they have taken a data protection by design approach to the planning and roll-out of the new system.

 

Further reading

What other lawful bases might apply?

If you cannot offer people a genuine choice over how you use their biometric data, then you must identity a valid lawful basis from the remaining five (contract, compliance with a legal obligation, vital interests, public task, and legitimate interests).

To rely on any lawful basis other than consent, you must demonstrate that processing biometric data is “necessary” to achieve your overall purpose.

Necessity does not mean that processing of personal information has to be absolutely essential in order for a lawful basis to be valid.

However, necessity does mean more than just useful or desirable. You cannot argue that processing is necessary just because you have chosen to operate your business in a certain way.

“Necessary” means that you must not rely on these lawful bases to process data unless your processing is a targeted and proportionate way of achieving your purpose.

To help you consider whether your processing would be necessary, you should:

  • describe the purpose and the benefit you expect to get from the processing of biometric data;
  • describe the wider benefits of processing this information to achieve your purpose, including to any third parties, the person themselves, and wider society;
  • describe how you will achieve your purpose by processing this personal information; and
  • consider the full data lifecycle, and how you have considered data minimisation and storage principles considering your necessary purpose.

You must also establish whether your proposed processing is a proportionate way to achieve your purpose when you consider necessity. If you could achieve your purpose in a less intrusive way, or by processing less information, then you cannot argue that your proposal is necessary.

If processing biometric data is not necessary for achieving your purpose and you are unable to rely on consent, you must not process biometric data.

To consider proportionality, you should do the following:

  • Identify the risks and assess the impact the processing has on people.
  • Balance the potential impact this processing may have on people against your purpose.
  • Be clear about the known or expected false acceptance and rejection rates for the system you intend to use. Assess these against the benefits you are looking to get (ie reduced cost, reduced friction, increased speed). Will people experience any of these benefits?
  • Are there any groups who will be unable to use this technology, or for whom the results are likely to be less accurate? If so, what are the real-world implications for people? Will your proposal reinforce or exacerbate existing exclusion or risks of harm felt by specific groups?
  • Are there any wider ethical concerns with the processing?
  • Describe any potential alternatives to your proposal, and why you have not chosen them.
  • Consider any other relevant considerations in choosing this way to achieve your purpose.
  • Demonstrate how your processing is sufficiently targeted to meet your objective. For example, a biometric recognition system for access control may be justified for sensitive areas, but not for access to the building.

If you are relying on legitimate interests as your lawful basis, then you are taking on extra responsibility for considering and protecting people’s rights. This means you must balance your interests against those of the people whose information you are processing.

If they would not reasonably expect the processing, or if it would cause unjustified harm, then their interests are likely to override yours, and this lawful basis won’t apply.

This balancing test builds on the necessity considerations described above. The test considers the kind of information you plan to use, the context you will use it in, and the possible impact your use will have.

One possible safeguard to consider in any balancing test is whether you can offer people a choice to opt-out from their information being used in this way.

Further reading

  • Lawful basis for processing provides more information on how to decide which lawful basis may apply to your proposal and what you need to consider when demonstrating how your chosen basis applies.
  • Our legitimate interest template helps you to decide whether the legitimate interests basis is likely to apply to your processing.

What other special category conditions might apply?

If explicit consent is not an appropriate condition for processing special category information, other Article 9 conditions may still be appropriate.

We outline below two of the most likely conditions which you could rely on when processing special category biometric data if you are not relying on explicit consent. Again, whether these conditions are appropriate depends on your purpose and, in some cases, who you are.

Substantial public interest

If your processing is not authorised by law or does not have a basis in UK law and if explicit consent is not an appropriate condition, your only alternative is likely to be substantial public interest.

All of the substantial public interest conditions are set out in paragraphs 6 to 28 of Schedule 1 of the DPA 2018. These give you the basis in UK law to rely on the substantial public interest condition.

The public interest covers a wide range of values and principles about the public good, or what is in the best interests of society. For some of the conditions, the substantial public interest element is built in. For others, you need to be able to demonstrate that your specific processing is “necessary for reasons of substantial public interest”, on a case-by-case basis.

If you rely on a condition that requires you to demonstrate that your processing is necessary for reasons of substantial public interest, you must make sure the “public interest” is real and of substance. It is not enough for you to make a vague or generic public interest argument to support your purpose. You must make a specific argument about the concrete wider benefits of your processing. This is due to the sensitive nature of processing biometric data to uniquely identify people.

The substantial public interest conditions vary in terms of whether they require you to:

  • demonstrate that your specific processing is “necessary for reasons of substantial public interest” on a case-by-case basis (for some conditions, this is assumed);
  • justify why explicit consent is not appropriate; and
  • have an appropriate policy document in place.

Some of these conditions may be applicable to your reasons for processing special category biometric data.

Further reading

Prevention or detection of unlawful acts

One of the substantial public interest conditions is the prevention and detection of unlawful acts.

This condition applies if:

  • you can demonstrate that it is necessary to use special category biometric data for crime prevention or detection purposes; and
  • asking for people’s consent means you wouldn’t achieve those purposes.

This condition requires you to demonstrate that your processing is necessary for reasons of substantial public interest. This means you must be able to show that using special category biometric data is “necessary” both for the prevention and detection of crime and for reasons of substantial public interest. You must include an explanation of how the processing is likely to be effective in preventing or detecting the illegal act.

To satisfy this condition, you must demonstrate you are using biometric data in a targeted and proportionate way to deliver the specific purposes set out in the condition. Also, that you cannot achieve them in a less intrusive way.

You must also have an appropriate policy document in place at the time your processing starts.

If you are processing special category biometric data to detect or prevent a crime, it is likely that you are also processing criminal offence information.

Criminal offence information refers to ‘personal data relating to criminal convictions and offences or related security measures’. This covers information about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings. It includes suspicions of criminal activity and evidence relating to them.

To process criminal offence information, you must identify a lawful basis under Article 6. You must also identify a condition in Schedule 1 of the DPA, or be processing under the control of official authority.

You must be clear about why you need criminal offence information. You can then identify the most relevant condition.

In most cases, if you have already identified your Article 9 condition for processing special category data, this may also justify the processing of criminal offence data.

Further reading

Research

This condition for processing special category information applies if you intend to use special category biometric data for one of the research purposes.

You must be able to show that using special category biometric data is “necessary” for the research purpose. This means that your use of special category biometric data is a reasonable and proportionate way to achieve your purpose.

To rely on this condition, you must also comply with further safeguards, including demonstrating that your use of special category biometric data is:

  • not likely to cause someone substantial damage or substantial distress; and
  • in the public interest.

Example

A company uses a dataset of biometric samples to assess and address the bias in its facial recognition system. The dataset is diverse in terms of ages and genders.

It uses some of the dataset to train the model so that it learns from a diverse range of inputs.

It uses the remaining information to test the performance of the model and confirm comparable statistical accuracy for all ages and genders. This will help in avoiding potential discriminatory effects when the company launches the system.

 

Further reading

What if we don’t have explicit consent and no other condition applies?

If you cannot gain explicit consent, and no other condition is appropriate, then you are infringing data protection law if you process special category biometric data. This is because your processing is unlawful.

The first data protection principle requires any processing of personal information to be fair, lawful and transparent.

If you cannot identify a valid condition, then you won’t be able to comply with this principle. You must therefore consider other options to achieve your purpose and must not use a biometric recognition system.