ICO could help solidify understandings of biometric data

The Information Commissioner’s Office (ICO) has released draft guidance on biometric data and biometric technologies.

The first phase of this guidance (draft biometric data guidance) is now published and available for public consultation until 20th October 2023. The ICO has stated that it has been listening to views on biometrics to inform its work, including working with a British Youth Forum and Citizens’ Biometrics Council. 

The draft biometric data guidance explains how data protection law applies when you use biometric data in biometric recognition systems. During a time of increased cyberattacks, this guidance offers an introspective look into how biometrics can be considered in the near future.

The importance of clear guidance on new cybersecurity measures

Use of biometrics is continuing to rise, with identity verification software increasingly using AI systems to help keep customers and data safe and secure. Biometric technology has become increasingly popular in recent years, especially with the arrival of two-factor authentication for online banking. It also offers greater reassurance to providers that a person is real by verifying a real-world human trait.

Miriam Everett, Partner and Global Head of Data and Privacy at Herbert Smith Freehills, told Cyber Magazine: “Given the significant amount of focus on AI solutions at the moment, it is perhaps not surprising that the ICO has chosen now as the right time to produce draft guidance for consultation. Although quite how and the extent to which this guidance interacts with other AI-related guidance and statements remains unclear.”

The global biometric market’s revenue reached US$43bn in 2022 and is expected to reach US$83bn by 2027.

The ICO highlights how the use of biometric recognition systems are expected to grow significantly over the coming decade. In particular, it cites sectors such as banking, finance, education, entertainment and retail as expanding use of these technologies.

Reasons for this include greater accessibility of facial recognition tools as a cost-effective way of authenticating, as well as the ease of rapidly analysing biometric data with developments in AI and machine learning.

In addition, the ICO states that biometric recognition systems can be used to identify someone from others, as well as for access control verification. In these scenarios, biometric recognition systems replace a password (something you know) or a swipe card (something you have) with biometric data (something you are).

So far, the guidance published for consultation surmises possible information and instructions to how to use biometrics in a safe and responsible way. It states that users must comply with data protection law when using biometric data, as it is a type of personal data.

Challenges still remain

However, despite the benefits of enhanced security and efficiency, the use of biometric technologies for identification can, according to the ICO, pose risks to the rights of individuals with potential harm being caused, like discrimination and loss of control of personal data.

Everett continues: “Perhaps less helpful is the lack of actual practical guidance in parts. For example, the draft guidance talks about explicit consent being likely to be the only valid condition for processing special category biometric data. It also contemplates an imbalance of power between the controller and the data subject (e.g. in an employment context) which might mean that consent is neither appropriate nor achievable. 

“But the draft guidance offers no practical solution for how employers could therefore implement biometric recognition systems in a compliant manner. Is the guidance saying that employers can never implement these types of solutions? The guidance poses the problem but doesn't offer solutions.

“In a similar way, the draft guidance confirms that organisations need to have appropriate security in place (nothing new there) but offers no real practical guidance as to what that could or should look like, other than confirming encryption of biometric data as a requirement rather than a recommendation.

“Perhaps most useful for industry in this particular context will be the section of the draft guidance focussed on biometric recognition and applying that industry term to data protection law and principles.”

******

For more insights into the world of Cyber - check out the latest edition of Cyber Magazine and be sure to follow us on LinkedIn & Twitter.

Other magazines that may be of interest - Technology Magazine | AI Magazine.

Please also check out our upcoming event - Cloud and 5G LIVE on October 11 and 12 2023.

******

BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.

BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.