Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Biometrics quick tips – for federal institutions

Biometric technology involves the measurement and analysis of human characteristics such as fingerprints, facial images, or DNA. It is commonly used for identification, verification, and increasingly, classification purposes. Biometric information is often sensitive information as it tends to be stable over time, difficult to change, and innately linked to one’s identity.

Here are some factors to keep in mind when handling biometric information.

Before launch:

  • Establish that your institution has legal authority for your proposed collection, use and disclosure of biometric information.
  • Complete a privacy impact assessment to ensure that legal requirements are met and that privacy impacts are either addressed or minimized.
  • Assess initiatives involving biometric information against these criteria:
    • Necessity – Is the initiative necessary to meet a specific, legitimate, and defensible objective?
    • Effectiveness – Is there a high degree of confidence that the initiative will be effective and reliable, overall?
    • Minimal intrusiveness – Is there a more privacy-protective or less intrusive alternative?
    • Proportionality – Is the impact on privacy proportional to the benefits gained?

Ensure that your initiative:

  • Collects only what biometric information is demonstrably necessary for the program or activity.
  • Uses the information only for the purpose for which it was collected, or for a use consistent with that purpose.
  • Keeps the information only for as long as necessary to fulfill the stated purpose.
  • Discloses the information only if the individual gives consent, or if an exception applies under the Privacy Act.
  • Uses appropriate measures to safeguard against breaches, including by controlling system access, using biometric systems that are privacy protective by design; conducting testing and vulnerability assessments; and reporting material privacy breaches to the OPC and TBS.

Other considerations:

  • Ensure that any biometric information used for an administrative purpose is as accurate, up-to-date, and complete as possible;
  • Ensure that third-party service providers are collecting and using information in accordance with privacy laws;
  • Be open and transparent with individuals about how you manage biometric information;
  • Be prepared to provide individuals who may be subject to an automated decision using biometrics with information about key details of the biometric system and its use.

More information

Guidance for processing biometrics – for federal institutions

Date modified: