Biometric Data
and Privacy
Biometric data is a powerful tool
for identification which enables
much of our modern contactless
technology. This technology is
underpinning the careful balancing
act that is sustainably managing
the ongoing health risks posed
by COVID-19, and the reopening
of economies. However, the
question is how to manage this
increased use of biometric data with
compliance to privacy laws when
contracting third party providers,
particularly cloud data providers.

Inspire December 2020
What is biometric data?
10 The most obvious thing that
springs to mind when someone
mentions biometric data is facial
recognition, finger print scanners,
or even retina scanners (if you are
a Mission Impossible fan from back
in the days before Tom Cruise was
known for jumping on couches).

According to the Biometrics
Institute, biometric recognition
is the “automated recognition of
individuals based on their biological
and behavioral characteristics”
and a biometric characteristic
or “biometric” is the “biological
and behavioral characteristic of an
individual from which distinguishing,
repeatable biometric features
can be extracted for the purpose
of biometric recognition” 1
In short, biometric data is you
and your intrinsic properties. It is
inherently identifiable and unable to
be anonymised, making it possible
for artificial intelligence (AI) to
recognise you from things that
Biometric data
is sensitive
information. It’s sensitive, in
part, because it
is our inherently
identifiable information, and
because it largely
requires us to
present ourselves.

you never even knew were unique.

In addition to facial recognition
and finger prints, it includes:
> the way you walk;
> the way you type;
> the shape of your ear;
> vein recognition;
> your DNA; and
> the way that you smell.

It is worth keeping in mind that it is
not possible to safely and securely
de-identify biometric data. With
the available computing power, AI
and complex algorithms, merely
stripping personal information
from the data will not be sufficient
to de-identify any biometric data.

Often, the use of big data for
data analytics is on the basis that
the data has been de-identified.

Organisations should not rely on
this method for biometric data.

Why is biometric data
important to protect?
Biometric data is sensitive
information. It’s sensitive, in
part, because it is our inherently
identifiable information, and
because it largely requires us to
present ourselves. It is important
to understand within contractual
relationships who is responsible for
what elements of the collection, use,
storage, disclosure and destruction
of biometric data in compliance with
the applicable and relevant privacy
standards and laws. Finding out the
allocation of responsibility after the
data has been hacked, is not the
recommended course of action!
Biometrics Institute “What is Biometrics?” https://www.biometricsinstitute.org/what-is-biometrics/
1
As the Covid-19 pandemic has swept across the world,
organisations have increasingly looked to
new, contactless technology utilising Biometric
data. This has raised questions of privacy.




When dealing with biometric data,
greater security standards must be
implemented. Unlike passwords and
email addresses, once biometric
data is disclosed there is no going
back. You only have a limited
number of features (ten fingers, one
face, two eyes!) none on which
can be changed as easily as a
password. Any enhanced security
standards must flow through to your
contracts with third party suppliers.

Cloud hosting & Privacy
& Biometric Data – What
should the contract say?
Cloud hosting provides greater
processing power and the
storage capacity necessary when
using biometric data. So, what
do you need to think about for
those all-important information
security and privacy clauses?
At the outset, the contract
must be certain on who is
responsible for the collection,
use, storage and disclosure of
biometric data. Along with:
> I s the biometric data stored
in Australia? How, when and
where can the cloud provider
> >
> >
transfer the biometric data?
Offshore disclosure is fraught
with danger - it requires actual
consent from the owner of the
biometric data, and consideration
must be given to the applicable
privacy and data protection laws.

C onfirmation the party complies
with all applicable privacy and
data protection laws. Associated
indemnities should be sought
for any loss or damage arising
for breach including for any
penalties imposed by any
Information Commissioner.

T he information security
standards to be applied e.g.

ISO27001, ACSC’s Essential
Eight, Information Technology
Library (ITIL). Be aware of what
these standards require, not all
standards are created equal.

Comply does not equal certify.

Know what you are asking for.

T he controls and procedures
around access to the biometric
data, including circumstances
in which the cloud provider may
need to use the biometric data.

W hat happens in the event
of a breach, whether that be
an innocent disclosure, or the
cloud provider being hacked.

Any time you are dealing with
data, be it personal information,
biometric or not, you should know
and understand the type and nature
of the data being collected, what
laws apply to such data, and ensure
that your contracts with any third
parties adequately represent and
address the risk and liability of such.

Managing the contracts that deal
with technology can be challenging
and requires knowledge of both the
law and technology. Should you
have any particular concerns about
your technology contracts, please
contact us to see how we can help
you navigate this complex world.

Inspire December 2020
11 Melissa Wingard | Special Counsel
BA(Eng&Hist) LLB(Hons) GradDipLegPrac
GradDipAppFin&Inv MCyberSecOps
melissa.wingard@pof.com.au