A deputy commissioner of the Information Commissioner’s Office (ICO) has warned that organisations need to obtain explicit consent for the use of biometric data.
Steve Wood (pictured), the deputy commissioner for policy, has raised the point in a blogpost in response to the organisation’s investigation of HM Revenue and Customs’ use of its Voice ID service. This led to the department having to delete the data of about 5 million customers for whom consent was judged to be out of date
Wood says that, under the General Data Protection Regulation (GDPR), one of the key points about using biometrics such as voice data is that it comes under a special category that requires extra protection. Subsequently, any consent has to be explicit and this cannot be overridden by the benefits that any relevant technology can provide.
Another main point, largely determined by the GDPR, is that controllers are required to complete a data protection impact assessment (DPIA) when processing any data, including biometric, that can pose a high risk to a person's rights. This has to be followed up by acting upon any risks that are identified.
In addition, there has to be accountability that involves demonstrating compliance with the GDPR, with appropriate technical and organisational measures in place.
“With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfiled and customers’ privacy rights addressed alongside any organisational benefit,” Wood says.
“The public must be able to trust that their privacy is at the forefront of the decisions made about their personal data.”
Image from ICO