In May 2022, the Singapore Personal Data Protection Commission (PDPC) published a guide to help organisations collect, use or disclose individuals’ biometric data in a responsible manner (“Guide“). With security applications like security cameras and Closed-Circuit Television Cameras (CCTVs) becoming increasingly commonplace, there have been more cases of organisations mishandling individuals’ biometric data. The release of this Guide serves as a timely reminder for organisations to review their existing measures or implement new measures to ensure that they are dealing with individuals’ biometric data in a responsible manner.
In more detail
While this Guide is not legally binding on individuals and organisations, it reflects the PDPC’s stance with regard to the handling of biometric data in a security setting. Organisations should look into and consider the best practices that are provided in the Guide to ensure that they are in compliance with their legal obligations under the PDPA and are not exposed to legal risks and liabilities.
The Guide is targeted at security applications that use personal data, as well as organisations that use such security applications. The Guide does not apply to individuals who use security or biometric systems for private purposes. The Guide is only intended for organisations’ use of biometric data in security applications, and does not extend to other commercial purposes.
Key Terminology and Processes
- Biometric data: Biometric samples or biometric templates created through technical processing of biometric samples.
- Biometric samples: Data relating to the physiological, biological or behavioural characteristics of an individual, including facial images, fingerprints and voice recordings.
- Biometric templates: Binary representations derived from the application of an algorithm to biometric samples, and are considered anonymised data on their own.
When processing a biometric sample, the algorithm in the biometric system will extract a digital representation of its features or characteristics and transform it into a biometric template. The template will then be used against the presented biometric samples in the process of verifying or identifying individuals.
Best Practices to Collect, Use and Disclose Biometric Data
The immutable nature of biometric data presents risks that organisations need to be aware of when procuring biometric recognition systems for security applications. The table below summarises the different risks associated with biometric recognition technology and the measures that organisations may consider implementing to mitigate the risks.
|Identify spoofing||Using a synthetic object with the physical characteristics of an individual to obtain a positive match in the system||– Implement anti-spoofing measures (e.g. liveliness detection) within the system|
– Install biometric systems with facial recognition function near a manned security post / security officers
– Encrypt data-at-rest and data-in-transit to prevent possible tampering with biometric data
|Error in identification||False negatives: Occurs when the threshold for matching is set too high and the system fails to identify enrolled individualsFalse positives: Occurs when the threshold for matching is set too low and the system wrongly identifies a person as an enrolled individual||– Consider the impact of false positives and false negatives, and the relevant industry practice and implement a reasonable matching threshold |
– Include additional factors of authentication (e.g. access cards) to complement the existing matching thresholds
|Systemic risks to biometric templates||The uniqueness of a biometric template may be diluted if the algorithm used to create the template is used multiple times by the service provider across different sets of customers||– Encrypt biometric templates in databases|
– Introduce a salt when encrypting biometric templates
– Consider using customised algorithms to preserve the uniqueness of biometric templates
Apart from being familiar with the risks present in the deployment of biometric recognition technology, it is equally important for organisations to protect biometric data at all stages of their life cycle. Organisations can consider adopting the following best practices:
|Collection||– Notify individuals regarding placements of security cameras|
– Obtain the consent of individuals before collecting biometric data
|Processing / Usage||– Limit access to recordings of security cameras|
– Process biometric samples collected to extract biometric templates immediately, and only use biometric templates in the process of recognition
– Ensure decrypted biometric templates that are still in the system do not carry out matching processes
|Storage||– Limit access to the storage databases of security cameras|
– For biometric recognition systems, discard biometric samples once biometric templates have been extracted
– Isolate biometric templates from other identifying information of individuals in order to prevent the linking of the two
– Implement safeguards to protect the databases holding the biometric data (e.g. encrypting biometric data, introducing salt to the encryption process etc.)
|Disposal||Permanently delete biometric data (and any copies made) from the system|
Obligations under the PDPA
The Guide discusses some of the purposes that organisations may collect, use or disclose personal data for, which include controlling access to services / premises, maintaining a safe working environment, security monitoring of premises and investigations, and enhancing security operational efficiency for premises.
Organisations may rely on the following exceptions to consent in the PDPA when collecting, using or disclosing the biometric data of individuals:
- “Publicly available data” exception: Organisations can rely on this exception when collecting biometric samples in public locations or where individuals may be observed by reasonably expected means. It allows organisations to collect, use or disclose the biometric data collected for security purposes.
- “Legitimate interests” exception: Organisations may collect, use or disclose personal data without first obtaining the consent of an individual if, after conducting a legitimate interests assessment, determines that the legitimate interests of the organisation / other individuals in the security use cases outweigh any likely adverse effect on the individual.
- “Business improvement” exception: Organisations may rely on this to use the biometric data without consent to improve their crowd management and security operations as part of their business or service offerings.
The other obligations under the PDPA, such as the access and correction obligation, protection obligation, data breach notification obligation and retention limitation obligation similarly apply to biometric data. For access obligation, while obligations may request access to their biometric data, organisations need not disclose biometric templates to individuals. The Guide explains that biometric templates, unlike the samples collected, will not serve any purpose outside the organisation’s biometric recognition system. Further, the PDPC made clear that biometric templates are considered confidential commercial information, and the organisation’s security system may be jeopardized if such information falls into the wrong hands. Organisations are also encouraged to establish a Data Protection Management Programme detailing the organisation’s policies and practices related to the handling of biometric data.
In deciding the type of biometric system to be implemented, an organisation shall consider (i) the purpose, requirements and alternatives to the installation of such systems, (ii) the possibility of minimising the collection of personal data when using biometric systems in fulfilling its business objective, (iii) an individual’s privacy intrusion perception, (iv) context and frequency of using biometric systems, and (v) the potential risks and level of protection conferred by each biometric system.
The complete Guide on Responsible Use of Biometric Data in Security Applications can be accessed here.
© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.