Biometric Information and Privacy Considerations: Guidance for Canadian Businesses

Despite the passage of time and these escalating developments, a core challenge persists: efforts to update Canadian privacy legislation have been repeatedly sidelined (with few exceptions), leaving businesses and governments to grapple with laws and principles that were not drafted with biometric and other new technologies in mind. Thus, regulators are left to express their views on the interpretation of existing laws through non-binding guidance documents.

This article outlines the latest recommendations from the Office of the Privacy Commissioner of Canada (“OPC”) for private sector use of biometric technologies.^[2] Although guidance documents are not binding, they remain important for businesses as they reflect the lens through which the OPC will investigate and assess an organization’s compliance.

Defining Biometric Information and Assessing Sensitivity

The OPC clarifies that biometric information arises when biometric samples (e.g., DNA, voice recordings, keystrokes) are processed using technology to reveal physical or behavioural traits. Biometric information will generally be considered “personal information” under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

However, biometric information is not automatically “sensitive” because it is biometric, although biometric information that can uniquely identify an individual will be considered so.^[3] Businesses must assess whether the subject biometric information is capable of uniquely identifying a person (alone or in conjunction with other information), reveals other categories of sensitive information and whether its misuse could pose a risk of significant harm to an individual.

Key Guidelines for Businesses Using Biometric Technology

1. Identifying an Appropriate Purpose

Before implementing biometric technology, organizations must define a clear and appropriate purpose.

An inappropriate purpose cannot be justified by a user’s consent (discussed below), particularly if it poses a real risk of significant harm. The OPC has specified certain purposes as “no-go zones,”^[4] which include profiling leading to discrimination, requiring access to employees’ social media accounts for screening, and audio or video surveillance through personal devices.

Organizations should consider the following criteria when determining appropriateness of collecting or using biometric information:

• Legitimate Need: The purpose must be clearly defined and based on a current, not speculative, business need;^[5]
• Effectiveness: The proposed biometric program should be reliable and effective, and have a clear method of measuring effectiveness;^[6]
• Minimal Intrusiveness: If less-intrusive information can achieve a similar result without a material increase in costs, organizations must use the less-intrusive information. Convenience alone should not be the determining factor; and
• Proportionality: Organizations should assess whether the benefits are proportional to the loss of privacy. The biometric program should be narrow in scope, as biometric programs that are designed to rely on the analysis of large volumes of biometric information are more likely to have a disproportionate impact on privacy.

2. Consent

Organizations must obtain valid, informed consent in an appropriate form when collecting biometric information, as they would for other forms of personal information.^[7] In nearly all cases, explicit consent will be required for biometric information, given the sensitivity of the information being collected.

In general, persons must be informed of the type of biometric information collected, the purpose for the collection, use or disclosure, whom the information is disclosed to and any risks of significant harm.

The OPC advises organizations to:

• Be specific when informing customers about how their biometric information will be used, and avoid using general phrases such as “identification purposes” or “safety and security;”^[8]
• Not assume that “publicly available” information is exempt from consent requirements;^[9]
• Renew consent when expanding uses of biometric information, unless an exception to consent applies; and
• Offer alternatives when biometric data is collected for non-essential purposes, and communicate these options clearly.
• Structure consent processes that are user-friendly and tailored to the audience to ensure understanding.

3. Limiting Collection

Collection of personal information, including biometric information, must be limited to that which is necessary for achieving the stated purpose. This means using verification over identification and storing biometric information with the individual rather than in centralized databases to reduce breach risks, where possible.

4. Limiting Use, Disclosure and Retention

Biometric information must only be retained for as long as needed to fulfil its purpose, after which it must be permanently deleted. Secondary information, such as that related to health, ethnicity or biological relationships, must be obtained with consent and must only be collected if there is an appropriate purpose.

Some best practices include:

• Limiting disclosure to third parties;
• Avoiding cross-system data linking;
• Distinguishing biometric data retention from other personal information; and
• Deleting biometric information upon request.

5. Safeguards

Physical, organizational and technical measures must be used to safeguard against breaches.^[10] Any breach of security safeguards involving biometric personal information must be reported to the OPC and to affected individuals if it is reasonable to believe that the breach creates a real risk of significant harm to an individual.

Additionally, the OPC recommends the following design features and practices when developing or choosing a biometric system:

• Cancellable Biometrics: biometric templates that prevent reconstruction of the original data;
• Privacy-Enhancing Technologies: e.g., homomorphic encryption can be used to conduct biometric matching without needing to decrypt the biometric template;
• End-to-End Encryption: to protect biometric data in transit and storage;
• Regular Testing and Vulnerability Assessments: to identify vulnerabilities and ensure safeguards continue to be effective over time; and
• Access Controls: restrict system access to only those employees who require the biometric information for their duties.

Note that safeguards alone cannot render a collection, use or disclosure of biometrics appropriate (see discussion on appropriate purposes above).

6. Accuracy

Biometric information must be accurate, complete and current for its stated purpose(s). Businesses must choose technologies with suitable accuracy rates and minimize performance discrepancies across socio-demographic groups.

7. Accountability

Organizations are responsible for the personal information under their control. They must also designate an individual responsible for the organization’s PIPEDA compliance who will act as a primary contact to whom the public can ask questions and raise concerns.

All employees responsible for managing biometric information must be provided with the proper training, guidance and supervision to perform their duties.

8. Openness

Policies governing biometric data must be accessible and easy to understand. They should describe the types of biometric data held, its uses and disclosures, and include contact details for the responsible individual.

The Privacy & Data Security Group at Aird & Berlis LLP frequently advises on every aspect of complex privacy and data security matters, including transactions, commercial relationships, litigation, regulatory concerns and emerging technologies. If you have questions or require assistance on the use of biometric data in your business, please contact the authors or a member of the group.

[1] Biometric Identification and Privacy Concerns: A Canadian Perspective, World Data Protection Report (October 2009).