Singapore: PDPC publishes a guide on the responsible use of biometric data in security applications

0

In short

In May 2022, the Personal Data Protection Commission of Singapore (PDPC) published guidance to help organizations collect, use or disclose individuals’ biometric data responsibly (“GuideWith security applications such as security cameras and closed-circuit television (CCTV) cameras becoming more commonplace, there have been more and more cases of organizations mismanaging biometric data The publication of this guidance serves as a timely reminder for organizations to review their existing measures or implement new measures to ensure that they are handling the biometric data of individuals responsibly.

More in detail

Although this guide is not legally binding on individuals and organisations, it reflects the position of the PDPC with regard to the processing of biometric data in a security context. Organizations should review and consider the best practices provided in the Guidance to ensure they are in compliance with their legal obligations under the PDPA and are not exposed to legal risk and liability.

Target audience

The Guide is intended for security applications that use personal data, as well as organizations that use such security applications. The Guide does not apply to persons who use security or biometric systems for private purposes. The guide is intended solely for the use of biometric data by organizations in security applications and does not extend to other commercial purposes.

Terminology and key processes

  • Biometric data: Biometric samples or biometric templates created by the technical processing of biometric samples.
  • Biometric samples: Data relating to the physiological, biological or behavioral characteristics of an individual, including facial images, fingerprints and voice recordings.
  • Biometric templates: Binary representations resulting from the application of an algorithm to biometric samples, and considered as anonymized data on their own.

When processing a biometric sample, the biometric system algorithm will extract a digital representation of its features or characteristics and transform it into a biometric template. The template will then be used against biometric samples presented in the process of verifying or identifying individuals.

Best practices for collecting, using and disclosing biometric data

The immutable nature of biometric data presents risks that organizations should be aware of when purchasing biometric recognition systems for security applications. The table below summarizes the various risks associated with biometric recognition technology and the measures that organizations can consider implementing to mitigate the risks.

Risks The description Measures
Identify identity theft Use a synthetic object with the physical characteristics of an individual to achieve a positive match in the system – Implement anti-spoofing measures (e.g. liveness detection) within the system – Install biometric systems with facial recognition function near occupied security post / security guards – Encrypt data at rest and data in transit to prevent possible tampering with biometric data
Identification error False negatives: occur when the match threshold is too high and the system fails to identify registrants False positives: occur when the match threshold is too low and the system incorrectly identifies a person as a registrant – Consider the impact of false positives and false negatives, as well as relevant industry practice and implement a reasonable match threshold – Include additional authentication factors (e.g., ID cards) access) to complement existing matching thresholds
Systemic risks for biometric templates The uniqueness of a biometric template can be diluted if the algorithm used to create the template is used multiple times by the service provider on different sets of customers – Encrypt biometric templates in databases – Introduce a salt when encrypting biometric templates – Consider using custom algorithms to preserve uniqueness of biometric templates

In addition to knowing the risks of deploying biometric recognition technology, it is equally important for organizations to protect biometric data at all stages of its lifecycle. Organizations can consider adopting the following best practices:

Cycle of life Measures
Collection – Notify individuals of security camera locations – Obtain consent from individuals before collecting biometric data
Treatment / Use – Limit access to security camera recordings – Immediately process collected biometric samples to extract biometric templates and only use biometric templates in the recognition process – Ensure that decrypted biometric templates that are still in the system do not perform matching process
Storage – Limit access to security camera storage databases – For biometric recognition systems, discard biometric samples once biometric templates have been extracted – Isolate biometric templates from individuals’ other identifying information to prevent the link between the two – Put in place protective measures to protect the databases containing the biometric data (for example, encryption of the biometric data, introduction of salt in the encryption process, etc.)
Arrangement Permanently delete biometric data (and all copies made) from the system

Obligations under the PDPA

The Guide addresses some of the purposes for which organizations may collect, use or disclose personal data, including controlling access to services/premises, maintaining a safe working environment, monitoring the security of premises and investigations, and improving the operational effectiveness of premises security.

Organizations can rely on the following exceptions to provide consent in the PDPA when collecting, using or disclosing individuals’ biometric data:

  • “Publicly available data” exception: Organizations may rely on this exception when collecting biometric samples in public places or when individuals may be observed by reasonably expected means. It allows organizations to collect, use or disclose collected biometric data for security purposes.
  • “Legitimate interests” exception: Organizations may collect, use or disclose personal data without first obtaining an individual’s consent if, after conducting a legitimate interests assessment, determines that the legitimate interests of the organization/other individuals in the cases use of safety outweigh any likely adverse effect on the individual.
  • “Business improvement” exception: Organizations can leverage this to use biometric data without consent to improve their crowd management and security operations as part of their business or service offerings.

Other obligations under the PDPA, such as the access and correction obligation, the safeguard obligation, the data breach notification obligation and the retention limitation obligation apply equally. to biometric data. For the access obligation, while obligations can request access to their biometric data, organizations are not required to disclose biometric templates to individuals. The Guide explains that biometric templates, unlike collected samples, will serve no purpose outside of the organization’s biometric recognition system. In addition, the PDPC clarified that biometric templates are considered confidential business information and that the organization’s security system can be compromised if this information falls into the wrong hands. Organizations are also encouraged to establish a data protection management program detailing the organization’s policies and practices related to the processing of biometric data.

In deciding what type of biometric system to implement, an organization should consider (i) the purpose, requirements, and alternatives to installing such systems, (ii) the possibility of minimizing data collection at personal character when using biometric systems to fulfill its business purpose, (iii) the perception of intrusion into an individual’s privacy, (iv) the context and frequency of use of biometric systems , and (v) the potential risks and level of protection conferred by each biometric system.

Complete Guide to Responsible Use of Biometrics in Security Applications Now Available here.

The content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as “lawyer advertising” requiring notice in some jurisdictions. Prior results do not guarantee similar results. For more information, please visit: www.bakermckenzie.com/en/client-resource-disclaimer.

Share.

Comments are closed.