Idency embraces latest ICO privacy guidance
Blog by Andy | Posted on Friday March 22 2024
Biometrics are a hot topic. We increasingly use biometric data to authenticate ourselves on devices such as mobile phones, tablets and laptops. It’s started to feel pretty normal in our everyday lives. We believe they are an amazing advance in security, authentication and accuracy.
Privacy remains a concern with many people. Understandably so. You’ve probably seen countless stories, articles and opinions on all kinds of media warning you of the dangers of losing privacy.
And let’s face it, every time you go to a new website you’re asked to choose to accept cookies that can track your behaviour.
It’s choice that’s the basis of a story that has been reported over the winter of 2023-24. A prominent company that runs leisure facilities in the UK has received criticism for the implemention of facial recognition systems for employee attendance. In a judgement by the ICO, they were found not to have given their staff sufficient choice in the way their information was used and thus were in breach of GDPR laws.
ICO Guidance
The ICO has updated its guidance such that employees must have choice with regard to the method used when using Time & Attendance technology. For GDPR purposes, an individual requires control over where, when and how their personal data is used, and the use of biometric data such as facial recognition and fingerprint readers requires consent.
How does facial recognition work in our Time & Attendance devices?
It is a misconception that fingerprints or 3D images of faces are taken and stored when you use biometric devices. In fact, it is a ‘template’ of random data points that are taken. These are encoded and encrypted by the the device before being stored.
From the perspective of the workflow and principles of the algorithm, the face templates are no longer data of facial feature points, but fragments or layers of facial features required by the algorithm of the device being used (see image to the right). This is stored in that device as face template data and the original image is discarded. As a result, the data stored cannot be used to reproduce the original image, nor can they be used by any other organisation. However, their use is classed as processing Special Category Data by the ICO, and this is the basis of the clarification for GDPR.
So what do I need to do to be GDPR compliant?
For correct implementation, organisations must give staff a choice of authentication when using such devices. Our advice is to make sure to offer alternatives to biometric authentication. While facial recognition devices use facial data by default, they have fallbacks such as RFID card readers and ID & PIN that can be opted for instead. Companies must also have mechanisms in place to expunge any data collected through biometric devices that is no longer required or when an individual requests it. Be sure to include clauses regarding the handling of such data in relevant Privacy Policies.
If you would like more information please see the ICO Guidance on the use of biometric recognition or get in touch to discuss options for your organisation.