Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Biometrics quick tips – for businesses

Biometric technology involves the measurement and analysis of human characteristics such as fingerprints, facial images, or DNA. It is commonly used for identification, verification, and increasingly, classification purposes. Biometric information is often sensitive information as it tends to be stable over time, difficult to change, and innately linked to one’s identity.

Here are some factors to keep in mind when handling biometric information.

Appropriate purpose

You must have an appropriate purpose for your use of biometric information. To assess whether your purpose is appropriate, ask if it meets criteria such as:

  • Legitimate need – Is there a clear business need for biometric information?
  • Effectiveness – Will the proposed biometric program or initiative be effective in meeting the purpose you have identified?
  • Minimal intrusiveness – Are there less privacy-invasive means to achieve the same purpose, at a comparable cost and with comparable benefits?
  • Proportionality – Is the impact on privacy proportional to the benefits gained?

Consent

You must use an appropriate form of consent when collecting, using, and disclosing biometric information. If the information is sensitive, express consent is generally required.

For consent to be valid, the individual has to understand the nature, purpose, and consequences of your collection, use, or disclosure of their biometric information.

When obtaining consent, you should provide specific information about your biometric initiative, and this information should be communicated in a user-friendly manner at a time that is relevant to the individual’s decision. Other considerations include:

  • Whether consent can be required as a condition of service;
  • Whether alternatives to biometric data collection are provided;
  • Whether any collection from third parties is lawful;
  • Whether the information is truly “publicly available” under PIPEDA; and
  • Whether consent is renewed when extending the scope of your program.

Limiting collection, use, and disclosure

Do not collect more information than you need to achieve your purpose. Unless specific exceptions apply under the law, only use biometric information for the purpose for which it was collected; do not keep it for longer than needed; do not share it widely; and do not extract secondary information without consent.

Safeguards

Use biometric systems that are designed to be privacy-protective, and implement safeguarding measures that are appropriate to the sensitivity of the information.

More information

Guidance for processing biometrics – for businesses

Date modified: