Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

OPC publishes new guidance for processing biometrics

August 19, 2025

Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.

The Privacy Commissioner of Canada has issued new guidance on protecting privacy in biometric initiatives. It addresses key considerations for federal institutions when planning and implementing initiatives involving biometric technology. These include:

Before launch

  • Establish that your institution has legal authority for the proposed collection, use and disclosure of biometric information.
  • Complete a privacy impact assessment to ensure that legal requirements are met and that privacy impacts are either addressed or minimized.
  • Assess initiatives involving biometric information against these criteria:
    • Necessity – Is the initiative necessary to meet a specific, legitimate, and defensible objective?
    • Effectiveness – Is there a high degree of confidence that the initiative will be effective and reliable, overall?
    • Minimal intrusiveness – Is there a more privacy-protective or less intrusive alternative?
    • Proportionality – Is the impact on privacy proportional to the benefits gained?

Ensure that your initiative

  • Collects only what biometric information is demonstrably necessary for the program or activity.
  • Uses the information only for the purpose for which it was collected, or for a use consistent with that purpose.
  • Keeps the information only for as long as necessary to fulfill the stated purpose.
  • Discloses the information only if the individual gives consent, or if an exception applies under the Privacy Act.
  • Uses appropriate measures to safeguard against breaches, including by controlling system access, using biometric systems that are privacy protective by design; conducting testing and vulnerability assessments; and reporting material privacy breaches to the OPC and TBS.

Other considerations

  • Ensure that any biometric information used for an administrative purpose is as accurate, up-to-date, and complete as possible.
  • Ensure that third-party service providers are collecting and using information in accordance with privacy laws.
  • Be open and transparent with individuals about how you manage biometric information.
  • Be prepared to provide individuals who may be subject to an automated decision using biometrics with information about key details of the biometric system and its use.

More information

Guidance for processing biometrics – for federal institutions

Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.

Date modified: