Do You Really Need That Fingerprint System? Processing Biometric Data under the Data Protection Act 2019
Copyright Bigstock ©
What is Biometric Data?
Biometric data is any ‘personal data resulting from specific technical processing based on physical, physiological or behavioral characteristics including blood typing, fingerprints, DNA analysis, earlobe geometry, retinal scanning, and voice recognition’. Simply put, biometric data can be termed as ‘characteristics that can be used to digitally identify a person’.
Over the years, there has been a surge in the use of biometric systems for identification by businesses, various institutions with digital fingerprints being the most commonly used method. The use of biometrics is slowly being woven into the very fabric of our communities. Biometric security systems are all around us being employed by financial institutions, government agencies, universities, hospitals, and various businesses. Medical facilities require our fingerprints for insurance processing, we unlock our phones using fingerprint sensors or facial recognition, access our universities through similar systems, and register for government documents such as passports using biometric information.
The widespread use of biometric security is tied to the fact that it is considered the future of security because its systems use an individual’s unique and distinct characteristics such as keystroke dynamics, fingerprints, and facial recognition to verify their identity. When used as part of a ‘multifactor authentication system’, these systems greatly enhance security as they rely on who we are as opposed to what we have or what we know for authentication. Usually, systems do not store biometric characteristics as they are collected but convert them to code which assists in the protection of this data. Encryption of the data whether in transit or in rest is also used for data security. This can be done through biometric encryption or cancelable biometrics where the data is stored bound to a key or as a transformed template and hence, it is not directly accessible.
Needless to say, a breach of such data would pose great risks that are difficult to reverse. Owing to the fact that this data is a part of an individual’s identity that can hardly be changed, should it be accessed by malicious third parties, the consequences that would accompany the breach such as identity theft and fraud cannot be taken lightly. Moreover, we must remember that these systems do not fully guarantee the benefits they are acclaimed for as they are more probabilistic than deterministic thus could also lead to false positives or false negatives and that they remain vulnerable to outside attacks because it is possible to spoof a fingerprints system using well-made fake fingerprints.
What does the law provide?
The uniqueness and sensitivity of biometric information raise significant privacy concerns. Generally, section 44 of the Data Protection Act greatly restricts the instances where sensitive personal data such as biometric data may be processed. As a basic requirement for all personal data, the data subject ought to have given free, unequivocal, and informed consent to the collection, processing, and storage of their data in order to process their data. This consent can be withdrawn at any time and the data subject retains the right to object to their data being processed as well as the right to be forgotten. Consent on its own, however, is not enough and there is a need for other lawful justifications for processing biometric data.
Grounds for processing sensitive personal data under the Act include when it is required to establish, exercise, or defend a legal claim, it has been made manifestly public, and where it can protect vital interests of the data subject or another person who is incapable of giving consent either physically or legally. Furthermore, this data should only be processed in the absence of other less intrusive means and stored only for the required duration. Notably, the provision allowing for the processing of sensitive personal data merely because it has been made manifestly public has been subjected to criticisms as it is deemed to grant wide discretion as to what is deemed as ‘manifestly public’ which may defeat the very essence of the protection of such sensitive data.
When is it permissible to process such data?
In short, biometric data should only be processed when it is both proportional and necessary to do so. This fact was illustrated when in 2020 the Dutch Data Protection Authority imposed a huge fine on a company that had used their employees’ fingerprints in a biometric system to reduce fraudulent time recording. The Authority found the company’s reason as disproportionate and unnecessary therefore not allowed under the law. The Authority also cast doubt as to the manner by which employee consent was obtained. It is thus evident that processing biometric data merely to enhance one’s business efficiency and moreover without proper safeguards in place for the collected data, is impermissible under the Act.
Judging from The Dutch Authority decision above, the question as to whether most entities that currently process biometric data in Kenya would pass the necessity and proportionality tests is highly doubtful. For instance, learning institutions that require their learners’ fingerprints to grant entry into libraries may have a challenge in demonstrating a properly lawful justification for collecting such sensitive data.
However, as the Act empowers the Cabinet Secretary to make regulations addressing matters including – ‘measures to safeguard a data subject’s rights, freedoms, and legitimate interests’, – it is expected that these regulations will set the mandatory threshold to be met in Kenya for processing of this data. It is also worth mentioning that the Employment (Amendment) Bill of 2020 contains provisions for the protection of employees’ personal data which addresses these concerns in the employment sector.
In the meantime, entities already engaged in collecting biometric information of persons should carry out rigorous, step by step Data Protection Impact Assessments to identify weaknesses, check for compliance and establish whether they truly need these systems. Data processors and controllers are additionally required to promptly inform the Data Commissioner and data subject where there has been a breach that presents a real risk of harm.
In conclusion, as the use of biometric information and systems to enhance security increases, it remains imperative to protect the right to privacy of data subjects. Both private and public entities ought to ascertain that they are indeed justified in their collection of biometric data and that it is thereafter done in strict adherence to the principles of necessity and proportionality.