Biometric Information and Privacy Considerations: Guidance for Federal Institutions

To listen to an audio recording of this article, click here.

As noted in our previous article for the Canadian private sector,^[1] biometric technologies and their uses have advanced exponentially in the past 20 years, enabling not only identity verification (one-to-one comparison) and recognition (one-to-many) but also health and behavioural analysis through app interactions, among others.

A core challenge persists despite these technological developments: efforts to update Canadian privacy legislation have been repeatedly sidelined (with few exceptions), leaving businesses and governments to grapple with laws and principles that were not drafted with biometric and other new technologies in mind. Thus, regulators are left to express their views on the interpretation of existing laws through guidance documents.

This article is geared toward federal institutions who are contemplating or already using biometric technologies, outlining the latest guidance from the Office of the Privacy Commissioner of Canada (“OPC”).^[2] Although guidance documents are not binding, they remain important for institutions as they reflect the lens through which the OPC will investigate and assess an institution’s compliance.

Defining Biometric Information and Assessing Sensitivity

The OPC clarifies that biometric information arises when biometric samples (e.g., DNA, voice recordings, keystrokes) are processed using technology to reveal physical or behavioural traits, which is the same definition as OPC’s guidance for private institutions. Biometric information will generally be considered “personal information” under the Privacy Act,^[3] which governs most federal government institutions.^[4]

However, biometric information is not automatically “sensitive” because it is biometric, although biometric information that can uniquely identify an individual will be considered so.^[5] Businesses must assess whether the subject biometric information is capable of uniquely identifying a person (alone or in conjunction with other information), reveal other categories of sensitive information and whether its misuse could pose a risk of significant harm to an individual.

Key Guidelines for Federal Institutions Using Biometric Technology

1. Lawful Authority for Collection, Use and Disclosure

Federal institutions must have lawful authority to collect, use and disclose biometric information. In practice, this means that any collection of personal information must be directly related to an institution’s operating program or activity. Where biometric samples can be collected directly from an individual, the institution must not collect it indirectly unless it obtains the individual’s consent or an exception applies under the Privacy Act.

Consent is also required for the use and disclosure of personal information, unless an exception applies under sections 7 and 8 of the Privacy Act. These provisions permit non-consensual use or disclosure only for consistent use, legal requirements, law enforcement, court orders, limited intergovernmental purposes, approved research or clearly justified public interest disclosures.

Where consent is relied upon, it must be meaningful: individuals should clearly understand the nature, purpose and potential consequences of providing their biometric information.^[6] However, consent cannot replace the overarching requirement that the institution has lawful authority to collect the subject personal information.

2. Assessing Privacy Impacts

If an institution’s biometric initiative involves the collection, use or disclosure of personal information as part of a decision-making process that directly affects an individual, then they must complete a privacy impact assessment (“PIA”). Conducting a PIA helps to ensure that legal requirements are met and that privacy impacts are either addressed or minimized and can serve as an early warning system for institutions.

PIAs generally involve understanding information-handling practices, planning, analyzing and assessing privacy risks, identifying mitigation measures and obtaining the required internal approvals.^[7] The OPC also notes that biometric technologies can have uneven effects on certain individuals or groups, and this should be addressed in the PIA.

Institutions are responsible for ensuring they meet all requirements under the OPC’s Directive on Privacy Practices.^[8] Once a PIA is approved internally, it must be made public and submitted to the OPC and the Treasury Board of Canada Secretariat (“TBS”).^[9]

3. Necessity and Proportionality

Institutions must limit the collection of personal information to what is demonstrably necessary. The OPC recommends institutions assess biometric initiatives against the following four-part test:

1. Necessity: The initiative must be necessary to meet a specific, legitimate and defensible objective. Institutions must be able to clearly explain how the use of biometrics is rationally connected to the government program or activity in question.^[10]
2. Effectiveness: There should be a high degree of confidence that the initiative will be effective and reliable overall. Institutions should consider the scientific and technical validity, as well as the accuracy, error rates and security risks of the chosen method or technology.
3. Minimal intrusiveness: Biometrics should not be used solely out of convenience if there are more privacy-protective or less intrusive alternatives, and institutions must assess their options and what steps they can take to reduce privacy intrusion.
4. Proportionality: The privacy impact must be proportional to the benefits gained. Biometric programs should be narrowly scoped, as opposed to broad and undefined.

4. Limiting Collection

Institutions must use the minimum number of biometric characteristics required. Where possible, institutions should use verification over identification and store biometric information with the individual rather than in centralized databases to limit the impact of widespread breaches.

5. Limiting Use, Disclosure and Retention

Biometric information must only be used for the purposes for which the information was obtained or compiled, or for a use consistent with that purpose. Institutions must not extract secondary information unless authorized by law.

The OPC recommends the following best practices:

• Limiting disclosure to third parties;
• De-linking across systems;
• Limiting retention of biometric information;
• Distinguishing retention of biometric information from that of other personal information;
• Destroying biometric samples when not needed; and
• Deleting biometric information upon request.

6. Safeguards

Institutions must implement physical, organizational and technical measures to safeguard against breaches.

Like other forms of personal information, biometric data is vulnerable to privacy breaches. The emergence of “phishing” and “vishing” (i.e., impersonating techniques such as deepfakes and voice synthesis) heightens the risks associated with the misuse of biometric information.

The OPC has identified the following mandatory requirements for safeguarding personal information:

• Use physical, administrative and technical security measures: These should reflect the type of biometric technology and samples being used.
• Control system access: Limit access to biometric information to only those employees who require it in the context of their work.
• Monitor and document system access: Maintain detailed access logs and consider implementing an anomaly detection system.
• Report breaches: Report any breaches that rise to the level of a “material privacy breach” to OPC and TBS.^[11]

The OPC also recommends the following best practices:

• Develop or use biometric systems that are privacy-protective by design: This includes cancellable biometrics, homomorphic encryption^[12] and end-to-end encryption; and
• Conduct regular penetration testing and vulnerability assessments: This should be done by internal teams as well as external testers.

7. Accuracy

Institutions are required to take all reasonable steps to ensure that any personal information they use for an administrative purpose is as accurate, up-to-date and complete as possible. Institutions must choose a technology with a suitable accuracy rate and ensure that their use of biometrics does not discriminate between groups of individuals in ways that are contrary to human rights law.

The OPC also recommends testing biometric technologies before going live to ensure accuracy and to monitor performance regularly. Institutions should also develop a procedure for handling false matches.

8. Accountability

Institutions are responsible for the personal information under their control and for disclosures of personal information to third parties, whether public or private.

It is the institution’s responsibility to ensure that any third-party service providers that handle personal information on behalf of the institution are in compliance with all privacy laws. Disclosures made to third parties must be made in accordance with requirements set out by the Directive on Privacy Practices, including the requirement to establish a contract or information-sharing arrangement before disclosing personal information.^[13]

For institutions who use biometrics to make automated decisions about an individual, the OPC recommends reviewing the Directive on Automated Decision-Making by TBS as they may be required to complete an Algorithmic Impact Assessment.^[14]

9. Openness

Institutions must provide affected individuals with a privacy note outlining the purpose, use and/or any disclosures related to the collection of their personal information. The privacy note must inform individuals of their ability to complain to the OPC.

All biometric information holdings under an institution’s control must be accounted for in their public reports regarding Personal Information Banks (“PIB”)^[15] and classes of personal information. Institutions must notify the OPC if they use biometric information for consistent uses that are not reflected in a PIB.

The Privacy & Data Security Group at Aird & Berlis LLP frequently advises public and private institutions on every aspect of complex privacy and data security matters, including transactions, commercial relationships, litigation, regulatory concerns and emerging technologies. If you have questions or require assistance on the use of biometric information or technologies in your organization, please contact the authors or a member of the group.

[1] Biometric Information and Privacy Considerations: Guidance for Canadian Businesses.