Impact of GDPR on Biometric Systems

Details

About the article

7 views

Paul Guckian

Impact of GDPR on Biometric Systems

  • Up Next
  • Details
MEET THE SPEAKER

Paul Guckian MSc, BSc,CISA,CISM,FBCS is Managing Director of DelaneyBiometrics, and holds 15 years of information security specialist experience, mainly in the financial sector. He is a certified IT Auditor and Information Security Manager with practical hands-on experience in all aspects of technology and Information Security Management. He is a guest lecturer in biometrics for universities such as Warwick and London City University. He has also served a Vice President of ISACA chapters and Chairman of the British Computer Society’s special group in Information Risk Management & Assurance. You can connect with Paul via https://www.linkedin.com/in/paulguckian/

Many organisations and developers are worried about the impact of GDPR on biometric solutions, so let’s explore the main security and compliance considerations involved. There has been rare, but poorly informed, advice given to customers that biometric systems cannot comply with the new legislation. But nothing could be further from the truth.

Background

Itis worth revisiting the meaning of “data”, under the Data Protection Act, which means information that is:

a) being processed by means of equipment operating automatically in response to instructions given for that purpose,

b) recorded with the intention that it should be processed by means of such equipment,

c) recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or

e) recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).

Therefore, raw images of biometric data is “personal data” by the definitions of the Act.

Raw biometric data may also meet the definition of “sensitive data” under the Act as it can reveal the racial or ethnic origin, or even the health status of the user e.g. facial recognition would usually involve sensitive data as it reveals race for example. Of course, additional security controls are required for sensitive data under the Act.

What is biometric data?

We should consider the two different kinds of “biometric” data which may be used:

#1 Biometric images are the raw picture of the biometric data (e.g. photo, fingerprint image), and is clearly personal data covered by the GDPR legislation. It can be readily encrypted to offer protection in storage or transit. This is the primary storage (along with templates) used by police and immigration systems, which can create confusion with the alternative approach used by commercial biometric systems.

#2 Biometric templates are hash values (same as password hash) representing the biometric patterns in numerical format. In itself, it is not normally considered ‘personal identifiable information’ as it is a one-way hash and cannot in itself be ‘reverse engineered’ to identify the user. This is the most common approach used by commercial biometric systems, which usually discard images to create a ‘vendor lock’ effect when selling their system and prevents migration to alternative systems.

But there are two data scenarios to be careful of when considering the impact of GDPR. Firstly, if another system has the raw data to re-create the template, and the data can be matched via an index, then it may meet the definition of personal identifiable information.

Secondly, all systems have to process a raw biometric image in memory to create or verify the biometric template so some ‘personal identifiable information’ is involved in all cases. Most commercial systems operate using this approach.

 

Impact of GDPR legislation

There remains a great deal of ‘best practice’ to be defined around the impact of GDPR and biometrics, and there still remains many conflicting views about the interpretation of the legislation with many ‘consultants’ erring on the side of caution. In relation to biometric data, the main principals of the new GDPR legislation are:

1. Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

Biometrics is no different to other forms of sensitive data, you must obtain permission to process the data. In most cases, biometric enrolment requires the users to comply with the enrolment process. Passive surveillance using biometrics is obviously an area where consent needs to be clearly communicated, probably via signage or other means.

2. Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Biometrics is the same as any other sensitive data in this regard.

3. Data minimization: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

There are clear business examples of where biometrics has exceeded the benefits of alternative authentication. Some examples include:

  • Construction timesheets are up to 10% more accurate when biometric systems are used as it reduces buddy punching, ghost workers, and human error.
  • Gym biometric access control reduce revenue loss by up to 5% for example, as it reduces card or PIN sharing. Ironically, the issue is highest in the lowest cost operators.

Therefore, business legitimately assess that biometric authentication is necessary to protect their commercial interests and staff safety matters, enabling these two sectors to operate on narrow profit margins. Other authentication options simply don’t provide a genuine link to the system user andareopen to easier and possibly greater misuse or fraud.

Storage of raw biometric images may be considered excessive or even unnecessary, when biometric ‘templates’ would have sufficed, so careful consideration needs to be given to the storage approach used.

4. Accuracy: Personal data shall be accurate and, where necessary, kept up to date

Biometrics is the same as any other sensitive data in this regard.

5. Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

One point which is often raised is that biometric data must begin in a raw format before it is converted into a ‘biometric template’. Clearly, some raw image processing is necessary to turn the image into a template. Higher security biometric sensors carry out encryption and/or template creation on board the hardware module and also offer hardware identification controls to restrict connection of unauthorised hardware thereby managing the risk effectively.

In terms of risk assessment, the same risk scenario exists with key logging for example, in that the system input data can be intercepted before it actually reaches the system. This isparticularly relevant in the area of cybersecurity, so therefore a similar risk assessment approach may be taken with biometric inputs.At the point a user is presenting themselves to a biometric system, they are consenting to do so, which makes its similar to entering data on a web page.

6. Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Biometrics is the same as any other sensitive data in this regard.

7. Accountability: The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.

Biometrics is the same as any other sensitive data in this regard.

Impact on Biometric Systems

The benefits of biometric authentication are significant for many organisations, as it is both a convenient and secure form of individual authentication. Biometrics are the only authentication mechanism which truly linksactual users (rather than their security identity) to their specific actions. It is also the only authentication method to offer true deduplication of user records, hence its use in voting systems.

Native biometric data has the same ‘personal identifiable information’ data classification as any other personal information such as Name, Date of Birth etc., and in many cases comes under sensitive data it would identify the race or ethnic origin of the person.

Some of the arguments against biometric data is that it cannot be changed, but this is similar to ‘Date of Birth’ and other sensitive personal data in this regard. Biometric templates are ‘hash values’ and don’t directly identify users, and these stored values can be changed by using an alternative algorithm approach. Indeed some system that detect an exact ‘replay’ of biometric data reject the input as its is statistically unlikely that you would have a mathematically perfect match.

The use of biometrics may be quoted as ‘excessive’ or ‘unnecessary’ by those objecting to its use. If construction timesheets are up to 10% more accurate when biometric systems are used and gym biometric access control reduce revenue loss by up to 5-10%, then the use of biometric systems has real and genuine value to businesses. This enables these two sectors to operate on very narrow profit margins. Business legitimately assess that biometric authentication are necessary to protect their interests, as other options simply don’t provide a genuine link to the system user, are less convenient and potentially more open to fraud.

In biometric systems, the ‘personal identifiable data’ is being processed when the biometric data (e.g. fingerprint) is captured by the scanner to when it’s converted into a template or used for authentication seconds later. Except in the case of passive surveillance, raw biometric data has to be ‘offered’ by the end user so therefore by definition has their consent. During the first phase, the raw biometric image is processed by the scanner and within seconds it is using the biometric template (secure hash value). The data is processed like any other data between the client and server thereafter, such as the use of web browsers. In this regard, it’s no different than typing your date of birth or name on a web page before it’s securely processed by a web application. There is a moment when the data is exposed on the screen before it is then secured.

 

Conclusions

The use of biometric data is a well established mature authentication mechanism. It cannot be considered ‘excessive’, as there are very sensible and commercial reasons to require its use (de-duplication, anti-fraud, accuracy, convenience). Just as your bank requires a 3-5 year address history to identify you and detect fraud, a biometric system may be a legitimate requirement for customers or internal users. If an alternative authentication is offered, then this can mitigate the feeling of ‘compulsory’ biometrics, but this can quickly undermine the security of the biometric system, the more secure approach is multi-factor biometric authentication.

Passive biometrics is probably the one area that is affected, but the millions of CCTV cameras in use in the UK will need to consider the impact of GDPR. In some sectors like pubs, CCTV is a licensing requirement, so it will take some time for the legislative impact to be established in case law and fully understood consistently.

Biometric data can be a sensitive subject for some end users. There are links with police and immigration systems which can generate emotive meanings for end users. However in law, biometric data with regards to GDPR legislation, is just another form of (sensitive) data. The ICO has issued specific guidance on the use of biometrics for children for example.

Biometric enrolment should be subject to the same consents and approvals as any other sensitive data. Raw biometric data is personal data in the case of risk assessment categorisation, and may be sensitive data. Biometric templates may or may not be personal data depending on system design. Therefore, the design of the system needs to be carefully understood to correctly assess the impact. The use of biometric data is not directly threatened by the GDPR legislation, and any organisation which designs its procedures to comply with the GDPR legislation should include ‘biometric data’ in its risk assessment in the same manner as other sensitive data.

About DelaneyBiometrics

Since 2003, DelaneyBiometrics has been the UK & Ireland’s leading specialist biometrics distributor. We operate the UK’s only biometric experience centre at High Wycombe, about 20 miles from London Heathrow airport. The centre provides live demonstrations of biometric authentication solutions such as single sign-on, access control and attendance management using a range of modalities including fingerprint scanners, facial recognition, iris recognition, vein scanning and voice recognition. You can contact us via www. delaneybiometrics.com or (01342) 810 810.