The Information Commissioner’s Office (ICO) has published the finalised version of its guidance on the use of biometric data.
It says the guidance has been put together to explain data protection law applies in the use of data and recognition systems, and is primarily aimed at organisations that use or are considering using them.
The document sets out the key data protection concepts of what is personal information, biometric data and special category biometric data, with information on special category information and if personal information is being processed when it is deleted quickly.
Compliance and good practice
It then provides details on biometric recognition, followed by a series of processes for legislative compliance and good practice. These cover: demonstrating compliance with data protection obligations; processing biometric data lawfully and fairly; how the accuracy principle applies to the data; how to ensure the processing is transparent; how to consider rights requests for the data; and how to keep it secure.
The guidance does not apply to using the data for law enforcement purposes or by the security services.
The publication follows a consultation on a draft version that began in August of last year.
The ICO published the document on the day it issued an enforcement notice to Serco Leisure to stop using facial recognition and fingerprint matching to monitor its employees in some local authority services.