InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
Biometric authentication by means of iris scans, fingerprints, vein patterns and so on have one major advantage unlike passwords, the user cannot forget the information. On the other hand, biometric data can be used to conclude the person and that makes it significant for data protection. But there is no need to miss out on it. In this article, we highlight what you need to be considering when using biometric methods.
Biometric data for your security
In biometrics, or biometric methods, peoples' natural, distinctive, physiological or behavioural characteristics are used for authentication purposes. Biometric procedures are nothing new; signatures and individual face checks have been in use for a long time. For example, dactyloscopy (fingerprint analysis) has played an important role in criminal cases for over a hundred years.
In comparison to other authentication methods such as PINs and passwords, biometric data provides extra security, because personal biometric data cannot be forgotten or lost. It is also not possible to “pass it on” (PIN, password) to other people. The advantages for the user as well as their use by companies in conjunction with IAM (Identity & Access Management) solutions are obvious.
On the downside, once it has been “compromised”, (i.e. if it has fallen into the wrong hands) biometric data cannot be changed like a password. Furthermore, it may allow other conclusions to be drawn about the person in question (we will come back to this later on). This is why the Swiss Data Protection Act (DSG) and the European General Data Protection Regulations (GDPR) set high standards in terms of data security and data protection.
Biometric features can currently only be changed in exceptional cases and with considerable effort, e.g. by cosmetic surgery on the facial features. For this reason, biometric data is not just person-related, it is person-specific. The raw data obtained in this way is – according to the definition of the term unique to each person and can be assigned to a specific person almost “anytime and anywhere”. A distinction is made between two groups:
Furthermore, we distinguish between two types of biometric data:
In principle, raw biometric data captured by sensors contains much more information than the template derived from it. For this reason and the principle of data economy (only really necessary data), it is preferable to file or store biometric templates.
In a nutshell, biometric data is usually inextricably linked to a specific person. This means that raw data and templates created from it are personal data; even without any other reference to persons such as names. They are usually also linked to additional identification or addressing information such as name, first name, gender, date of birth, etc.
Biometric data is not explicitly mentioned in the current Swiss Data Protection Act (DSG), but it is mentioned in the guidelines of the Federal Data Protection and Information Commissioner (EDÖB). These guidelines contain many recommendations for protecting this data and protecting the identity of the people concerned, within the meaning of the Data Protection Act. For example, it has been pointed out that biometric identifiers like fingerprints, the geometry of the hand and face, a digital scan of the iris and voice recognition can be used to conclude a person's ethnic origin and their health status. Ethnic origin and health status constitute particularly sensitive personal data (pursuant to Art. 3 letter c of the DSG), and the processing of this data must comply with more stringent restrictions and requirements.
In the European General Data Protection Regulation (GDPR), biometric data (according to Art. 4 No. 14 of the GDPR) is also considered as a “special category of personal data” (according to Art. 9 of the GDPR) where it is used to uniquely identify a natural person. This is of course the case with biometric authentication methods. In principle, under paragraph 1 it is prohibited to process this category of data (unless there is an exceptional reason explicitly listed in paragraph 2). The following guiding principles should be observed:
Particular attention must be paid to ensure that the processed data remains within the jurisdiction of the data subject and that no inappropriate data processing is carried out.
As is the case when processing other personal data, appropriate security measures must also be taken in biometric procedures, such as encryption, protection against manipulation of hardware and software and of the data itself, protection during recording and processing, digital signature, access and entry rights, etc. However, ensuring the technical security of the biometric procedure is not enough on its own. You also need to take the following points on board when using biometric authentication methods and systems:
With all these requirements and framework conditions, you are now bound to be asking yourself whether access systems based on biometric authentication procedures are permissible at all. We clearly believe they are! However, there are some things that need to be considered.
The Swiss Federal Data Protection and Information Commissioner (EDÖB) has also expressed criticism of the use of recognition systems based on biometric features within the workplace, particularly because by doing so, employers are encroaching on employees' personal rights. There must be a justification for processing this kind of biometric data. However, on its own, this is not enough. Additionally, it must be ensured that the identification system to be used complies with data protection requirements. The guide mentioned above also provides valuable services here.
It is also made clear that, wherever possible, the only kinds of biometric data that should be captured are those that do not leave any trace and cannot be captured without the person concerned being aware of it – e.g. a hand outline or hand vein pattern. Moreover, the biometric data should be stored in a decentralised location in encrypted form on a secure medium and kept secure.
So, as you can see, there are quite a few things to take into consideration before using access controls based on biometric features. Ask us about it, we will be happy to advise you.
There are tremendous advantages in using biometric methods for user authentication. However, the requirements for designing biometric procedures in a way that is compatible with data protection must be observed. If you follow these 6 points, there is nothing to stand in the way of using them.
Provided that the data protection framework conditions mentioned above are complied with, using biometric procedures poses no threat to the right to self-determination of information; in fact, it makes a contribution to heightened data security by means of direct, genuine verification and authentication.
Every company using biometric data must be aware of the possible effects on processes and infrastructure. These should be comprehensively reviewed based on the aspects described above. A comprehensive gap analysis – either subject to the Swiss Data Protection Act (DSG) or the European General Data Protection Regulation (GDPR) – depending on your company's data categories – is the first step in this process. Get support! Our data protection experts can provide you with assistance in all aspects, from questions about data protection requirements, GAP analysis, technical security checks, strategy definition and conception to raising awareness and implementation. You can find more information about our data protection services here: