Data watchdog the Information Commissioner’s Office (ICO) has published the first draft of its guidance on the use of biometric information and technologies. This follows the resignation of the biometrics and surveillance camera commissioner Professor Fraser Sampson.
The long-awaited guidance comes as part of a wider redrawing of the UKs regulatory landscape, including placing more of the data burden on the ICO. This is the first of two phases of the guidance and covers the general use of biometrics.
A consultation on the guidance will run until October this year and the second phase, which will cover biometric classification and data protection will begin early next year with a call for evidence. They are aimed at organisations that use or are considering using biometric recognition systems, as well as vendors and data controllers.
Guidance issued by the ICO are expected to come in alongside the data protection bill but also make reference to existing UK GDPR legislation. It doesn’t cover use of biometrics by law enforcement or the security services but some of the principles will be relevant for those regimes and likely used by respective regulators.
The guidance also isn’t comprehensive. “Where this guidance refers to principles already addressed in our guidance, we provide links to the relevant further reading,” the ICO states.
Special category biometric data
The data watchdog draws on the definition of biometric data in current UK GDPR legislation, namely that it is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.”
As well as obvious biometric information there are also special category biometric data. This is data used for the purpose of uniquely identifying someone. This will require extra care under the guidelines as they are likely to be more sensitive or private.
Sampson was originally appointed to the roles of commissioner of the retention and use of biometrics and the surveillance camera commissioner for two years in March 2021. This was while the government decided how to handle their functions under the new data protection bill.
In March this year it was extended until the bill could attain royal assent but this has since been pushed further and is unlikely to be in place before Spring 2024 at the earliest. “Having explored a number of alternatives with officials, I am unable to find a practical way in which I can continue to discharge the functions of these two roles beyond 1 November,” he wrote in his resignation letter to Home Secretary Suella Braverman.