The Information Commissioner’s Office (ICO) has released the initial segment of its guidance on biometric data and the use of biometric technologies, which follows a consultation that took place in 2023.

This guidance is mainly intended for entities that currently utilise or are contemplating the implementation of biometric recognition systems. It is equally relevant for those supplying these systems, which may include sellers and creators. As such, it is applicable to data controllers, data processors and relevant external parties.

The guidance examines how biometric data is defined under UK GDPR and delves into the application of biometric recognition, outlining the processing of special category biometric data involved.

Topics addressed in the guidance includes:

  • the nature of biometric data;
  • circumstances under which it qualifies as special category data;
  • its application within biometric recognition systems; and
  • the data protection obligations that must be met.

The use of biometric data in the financial sector holds promise but has sparked debate due to concerns about its impact on data protection rights and individual freedoms. There is also worry about potential harm from errors or security incidents, which may not be as easily remedied as, say, changing a password.

In the previous year, the ICO issued guidance on employee surveillance, urging companies to carefully weigh their legal responsibilities against their employees’ privacy rights before adopting any monitoring practices.

The ICO’s release of new guidelines is particularly timely, following a series of enforcement actions related to the use of biometric data for employee monitoring. Notably, the ICO found that a leisure company unlawfully processed the biometric data of more than 2,000 employees at 38 UK sites, without offering alternatives to fingerprint scanning and without adequately justifying the need for such data collection over less invasive methods like ID cards or fobs.

Companies that use or are thinking about using biometric data should carefully assess:

  • the possibility of less intrusive alternatives to achieve their goals;
  • the need for enhanced security measures in the handling and storage of biometric data; and
  • the necessity and proportionality of using biometric data for access control relative to its intended use.

Please do reach out to our PRM team if you have any questions or would like support in reviewing your data protection policies.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, , ,
Helena Rozman

About Helena Rozman

Helena has experience in acting for both employees and employers covering both contentious and non-contentious work. Helena's experience includes defending Employment Tribunal claims and engaging in settlement negotiations; advising clients on complex disciplinary matters, exit strategies and large restructuring exercises, including TUPE and redundancy; co-ordinating and responding to data subject access requests; advising on the employment implications on business and asset purchases and outsourcing arrangements; project managing and advising clients on multi-jurisdictional projects with our international offices; drafting settlement agreements for exiting employees; advising on the employment aspects of corporate transactions and undertaking due diligence; and reviewing contracts, company handbooks and policies.

Full bio

You might also like...