View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

ICO publishes guidance on use of biometric data in the UK

There will be a consultation process on the new guidance as part of a phased approach to its introduction.

By Ryan Morrison

Data watchdog the Information Commissioner’s Office (ICO) has published the first draft of its guidance on the use of biometric information and technologies. This follows the resignation of the biometrics and surveillance camera commissioner Professor Fraser Sampson.

The new biometric guidance include cover use of personally identifiable data including voice and facial prints (Photo: Tanoy1412/Shutterstock)
The new biometric guidance include cover use of personally identifiable data including voice and facial prints. (Photo by Tanoy1412/Shutterstock)

The long-awaited guidance comes as part of a wider redrawing of the UKs regulatory landscape, including placing more of the data burden on the ICO. This is the first of two phases of the guidance and covers the general use of biometrics. 

A consultation on the guidance will run until October this year and the second phase, which will cover biometric classification and data protection will begin early next year with a call for evidence. They are aimed at organisations that use or are considering using biometric recognition systems, as well as vendors and data controllers.

Guidance issued by the ICO are expected to come in alongside the data protection bill but also make reference to existing UK GDPR legislation.  It doesn’t cover use of biometrics by law enforcement or the security services but some of the principles will be relevant for those regimes and likely used by respective regulators.

The guidance also isn’t comprehensive. “Where this guidance refers to principles already addressed in our guidance, we provide links to the relevant further reading,” the ICO states.

Special category biometric data

The data watchdog draws on the definition of biometric data in current UK GDPR legislation, namely that it is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.”

As well as obvious biometric information there are also special category biometric data. This is data used for the purpose of uniquely identifying someone. This will require extra care under the guidelines as they are likely to be more sensitive or private. 

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Sampson was originally appointed to the roles of commissioner of the retention and use of biometrics and the surveillance camera commissioner for two years in March 2021. This was while the government decided how to handle their functions under the new data protection bill. 

In March this year it was extended until the bill could attain royal assent but this has since been pushed further and is unlikely to be in place before Spring 2024 at the earliest. “Having explored a number of alternatives with officials, I am unable to find a practical way in which I can continue to discharge the functions of these two roles beyond 1 November,” he wrote in his resignation letter to Home Secretary Suella Braverman.

Read more: Police CCTV guidelines set to be scrapped when data laws change

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.