At a glance
- Personal information relates to an identified or identifiable person.
- If you can identify someone from the information directly or indirectly, then it is personal information.
- Biometric data is a type of personal information.
- Personal information must meet specific requirements to be biometric data. These relate to qualities of the information itself, not how you use it.
- If you use biometric data for unique identification, it is special category biometric data.
- What is personal information?
- What is biometric data?
- What is special category biometric data?
- What about other special category information?
- Are we processing personal information if we delete it quickly?
This guidance refers to the following data protection concepts. An understanding of these will help you to get the most out of this guidance.
Personal information relates to an identified or identifiable person.
It is known as “personal data” in the UK GDPR and is defined in Article 4(1) as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
If you cannot directly identify someone from information you hold, it may still be possible to indirectly identify them. You must consider the information you are using, together with all the means you, or anyone else, is reasonably likely to use to identify that person.
Information that is not personal information (ie it does not relate to an identifiable person) is outside the scope of data protection law.
Personal information does not include information:
- about the deceased; or
- that has been anonymised appropriately.
Biometric data is a type of personal information. Article 4(14) of the UK GDPR defines biometric data as:
“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm someone’s unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.”
This means that personal information is only biometric data if it:
- relates to someone’s physical, physiological or behavioural characteristics (eg the way someone types, a person’s voice, fingerprints, or face);
- has been processed using specific technologies (eg an audio recording of someone talking is analysed with specific software to detect qualities like tone, pitch, accents and inflections); and
- can uniquely identify (recognise) the person it relates to.
See Do biometric systems use biometric data? for more information.
If you are using information that does not meet these criteria, you must still determine if you are processing personal information.
Article 9 of the UK GDPR singles out some types of personal information as more sensitive and gives them extra protection.
These include biometric data when used for the purpose of uniquely identifying someone. In this guidance, we use the term “special category biometric data” to refer to this.
Not all biometric data is automatically special category biometric data. It only becomes this if you use it to uniquely identify someone.
Your purpose for processing biometric data is therefore important. It defines whether you’re processing special category biometric data.
See Do biometric recognition systems use special category biometric data? for more information.
You must only process special category information if you can identify a valid condition for processing it.
See How do we process biometric data lawfully? for more information.
Not all biometric data is “special category biometric data”. This only applies if you use it, or intend to use it, to uniquely identify someone. However, even if this is not your purpose, the biometric data you process may still be considered another type of special category information. For example, you could use biometric data to infer someone's racial or ethnic origin or consider it as health data.
Whether you consider this to be special category information depends on if you intend to infer this information from the biometric data.
Processing means taking any action with someone’s personal information. This includes collecting, storing and deleting personal information. It is still processing if you only briefly create, collect or store information (sometimes known as transient processing).
In many cases, technologies using biometric data process it transiently. This information may only exist for a fraction of a second. Data protection requirements still apply to you, regardless of how quickly you may delete it.
Transient processing can help you adopt a data protection by design approach by demonstrating compliance with data protection principles, such as data minimisation, storage limitation and security.