The following guidance has been prepared as an aid to schools, colleges and other educational institutions that may be considering the installation and use of a biometric system. This document is intended to encourage such institutions to fully consider if there is need for a biometric system in the first place and then to assess the privacy impact of different systems.
The critical issues to be considered from a data protection perspective are the proportionality of introducing a biometric system and the requirement to obtain the signed consent of the student users (and their parents or guardians in the case of minors) giving them a clear and unambiguous right to opt out of the system without penalty.
The document is not intended to promote any particular system, but is intended to make schools and colleges aware of their responsibilities under the Data Protection Acts 1988 & 2003. It is the use of a biometric system that may give rise to a data protection concern, not necessarily the production or sale of a system. All situations must be judged on a case-by-case basis.
All biometric systems operate on the basis of the automatic identification or authentication/verification of a person. What differs between systems is the nature of the biometric and the type of storage.
1.1 Information used to generate biometric data
Biometric data may be created from physical or physiological characteristics of a person. These include a fingerprint, an iris, a retina, a face, outline of a hand, an ear shape, voice pattern, DNA, and body odour. Biometric data might also be created from behavioural data such as hand writing or keystroke analysis. Generally, a digitised template is produced from the biometric data. This template is then compared with one produced when a person presents at a reader.
1.2 Types of biometric data
There are three principal types of biometric data:
There are two principal types of systems:
There are two principal methods of storing biometric data/templates:
Data Protection issues concerning biometrics.
Section 2(1)(c)(iii) of the Data Protection Acts states that data
"shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed."
The key word here is "excessive." Accordingly, the first question to be asked when considering the installation of such a system is what is the need for it? What is wrong with current systems or less invasive alternatives?
As individuals have fundamental Human Rights which are protected by the Data Protection Acts, a school or college must conduct some assessment of the need for a biometric system and an evaluation of the different types of available systems before the introduction of any particular system.
Determining what is excessive requires a case-by-case analysis. Some factors which may be taken into account include:
Section 2(1)(a) of the Acts require that
"The data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly."
In order to demonstrate compliance with this provision, at least one of the provisions of Section 2A of the Acts must be met. In the context of the introduction of a biometric system for use by students in a school or college, these include:
Consent: In the context of students attending a place of education, the Data Protection Commissioner would stipulate that the obtaining of consent is of paramount importance when consideration is being given to the introduction of a biometric system. It is the Commissioner?s view that when dealing with personal data relating to minors, the standards of fairness in the obtaining and use of data, required by the Data Protection Acts, are much more onerous than when dealing with adults. Section 2A(1)(a) of the Data Protection Acts states that personal data shall not be processed by a data controller unless the data subject has given his/her consent to the processing, or if the data subject by reason of his/her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of such consent, it is given by a parent or guardian etc. While the Data Protection Acts are not specific on what age a subject will be able to consent on their own behalf, it would be prudent to interpret the Acts in accordance with the Constitution. As a matter of Constitutional and family law a parent has rights and duties in relation to a child. The Commissioner considers that use of a minor?s personal data cannot be legitimate unless accompanied by the clear signed consent of the child and of the child?s parents or guardian.
As a general guide, a student aged eighteen or older should give consent themselves. A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student?s parent or guardian. (Consent may not be considered to be in place for students in this age bracket unless it is given by both the student and a parent/guardian). In the case of children under the age of twelve, consent of a parent or guardian will suffice. Consent to the use of a biometric system in places of education should be obtained by means of a positive opt-in on the part of students (and/or their parents or guardians as set out above). An audit trail of the opt-ins should be maintained by the data controller for the duration of each student's enrolment. All students (and/or their parents or guardians as set out above) should, therefore, be given a clear and unambiguous right to opt out of a biometric system without penalty. Furthermore, provision must be made for the withdrawal of consent which had previously been given.
Legitimate interests: Whilst the "legitimate interest" provision may seem appealing, it requires that a balance be struck. What is acceptable in one case may not be acceptable in another and a school or college seeking to rely upon this provision must take into account the potential effect upon student privacy rights. In any event, the Data Protection Commissioner considers that, in the context of a student environment, the processing of personal data using a biometric system would be prejudicial to the fundamental rights and freedoms of the students concerned in the absence of freely given consent.
3A. Fair obtaining of sensitive data.
Explicit consent: As stated above, all students (and/or their parents or guardians) should be given a clear and unambiguous right to opt out of a biometric system without penalty. The same consent which applied to the principle of obtaining and processing data fairly also applies to the fair obtaining of sensitive data.
Section 2D of the Acts require that a school or college provide at least the following information to students when processing their data:
It is essential that students are aware of the purpose for which the biometrics data will be processed. This means that a school or college must carefully think through any purpose or potential purpose. Is the system solely for attendance management purposes? Will it be used for access control? What are the consequences for the student concerned if there is an identified abuse of the system? Under what circumstances will management access logs created by the system?
Transparency is even more important where the biometric system does not require the knowledge or active participation of a student. A facial recognition system, for instance, may capture and compare images without that person's knowledge.
Section 2(1)(b) of the Acts require that data shall be
"Accurate and complete and, where necessary, kept up to date."
Any biometric system must accurately identify the persons whose data are processed by the system. If changes in physical or physiological characteristics result in a template becoming outdated, a procedure must be in place to ensure that the data are kept up to date.
The requirement, under section 2(1)(d), that a school or college has appropriate security measures in place to prevent the unauthorised access to, or the unauthorised alteration, disclosure or destruction of data would appear to promote the use of technological solutions such as encryption.
However, in deciding upon what constitutes an appropriate security measure, Section 2C details four factors that should be taken into account:
A minimum standard of security would include:
Section 2(1)(c)(iv) of the Data Protection Acts provides that data shall not be kept for longer than is necessary for the purpose. In the context of a biometric system in a school or college, it would be necessary to devise a retention policy in advance of the deployment of the system which clearly sets out the retention period which would apply to biometric data. The Data Protection Commissioner would expect that as soon as a student permanently leaves the school or college, his/her biometric data would be immediately deleted.
8. Privacy Impact Assessment.
The Data Protection Commissioner cannot give a general approval or condemnation of biometric systems. Each system must be judged in respect of the situation in which it is used. A case-by-case judgement is required. With that in mind, the Commissioner encourages schools and colleges to take the above guidance into account if considering introducing any biometric system.
Before a school or college installs a biometric system, the Data Protection Commissioner recommends that a documented privacy impact assessment is carried out. A school or college which properly conducts such an assessment is less likely to introduce a system that contravenes the provisions of the Data Protection Acts 1988 & 2003. This is an important procedure to adopt as a contravention may result in action being taking against a school or college by the Commissioner, or may expose a school or college to a claim for damages from a student. Data protection responsibility and liability rests with the school or college, not with the person who has supplied the system (where that person also acts as a data processor on behalf of the employer, it will have its own separate data protection responsibilities in relation to the security of the data).
Some of the points that might be included in a Privacy Impact Assessment are: