Guidance for processing biometrics – for federal institutions
Published: 2025
Target Audience: Federal Government Institutions
Authority: Privacy Act
Issued: Office of the Privacy Commissioner of Canada
Status:
| Public consultation | Analyzing feedback | Adopted guidance |
On this page
Overview
Governments around the world and in Canada are turning to biometric technologies to enhance security and deliver services. With the promise of biometrics, however, come serious concerns about privacy. Biometric information is intimately linked to an individual’s body, and is often unique, unlikely to vary significantly over time, and difficult to change in its underlying features.
Biometric information can be an enabler of surveillance, and if breached, could expose individuals to fraud and identity theft. It can also reveal sensitive information about an individual’s life, including personal traits, health information, and information about characteristics such as race, disability, gender, and biological family relationships. Challenges with the accuracy of some biometric technologies have been documented, which is of further concern when they are used to make automated decisions about individuals.
This document provides guidance to federal institutions on their privacy obligations when handling biometric information. Note that while it addresses some of the main considerations, institutions remain responsible for understanding and respecting all of their obligations under applicable laws, regulations, and policy instruments.
The privacy protection authorities for each province and territory of Canada, and the Office of the Privacy Commissioner of Canada, have jointly issued separate guidance on the use of facial recognition by police agencies to help clarify police agencies’ privacy obligations under the law. Federal institutions interested in the use of biometrics may also find elements of this guidance helpful.
Biometric technology
“Biometrics” refers to the quantification of human characteristics into measurable terms. Biometric technologies are used for a variety of purposes, including recognition and classification, which are explained below.
There are two main types of biometric technologies:
- Physiological biometrics involve morphological (body shape or structure) or biological characteristics of an individual that are relatively stable over time. Examples include fingerprints, iris patterns, facial geometry, and DNA.
- Behavioural biometrics involve distinctive characteristics of individuals’ movements, gestures, or motor skills. Examples include keystroke patterns, gait, voice, and eye movement.
These biometric characteristics can be captured and analyzed using a biometric system. Biometric systems work by extracting features from biometric samples, which are data that contain representations of biometric characteristics in an unprocessed form. Examples of biometric samples include a photograph of an individual’s face, a recording of their voice, or a sample of their DNA. Samples can be inputted into the biometric system manually (for example, by uploading an image to the system) or automatically (for example, by using software to record a user’s keystroke patterns on a computer).
Once a sample has been inputted into the system, biometric characteristics are extracted by converting data from the sample into a format that can be analyzed for a specific purpose. This often involves the creation of a biometric template, which is a format for representing sets of extracted biometric characteristics for further analysis. The process of extracting and analyzing or comparing templates is typically performed using specialized software designed for that purpose.
Biometric recognition
A common use for biometric technology is recognition. When used for this purpose, the biometric system is configured to compare a template from one biometric sample (often called a “probe” template) with one or more templates extracted from other biometric samples. The system then estimates the probability that two or more templates “match” — that is, correspond with the same individual.
- In verification uses, the probe template is compared with only one other template, to determine whether both pertain to the same individual. For this reason, verification is sometimes referred to as a “one-to-one” comparison.
- In identification uses, the probe template is compared with multiple other templates, to determine whether it corresponds with any of them. For this reason, identification is sometimes referred to as a “one-to-many” comparison.
Recognition systems typically involve enrolling individuals’ templates into a reference database for comparison with other templates. In verification uses, the reference database consists of only one reference template. In identification uses, it consists of multiple templates. In identification uses, the reference database often contains additional identifying information about the individual, such as their name.
Examples of biometric recognition include the use of a fingerprint to gain access to a building, the use of a facial image to unlock a phone, and the use of DNA to identify an individual. In all these cases, probe templates are compared with one or more reference templates to estimate the probability of a match. If the probability is sufficiently high, then the match may be considered confirmed for the purposes of that system.
Biometric classification
An emerging area of biometric technology involves the estimation of certain personal attributes of individuals, such as their age or gender, based on their biometric characteristics. This is commonly referred to as “biometric classification.” When used this way, the biometric system extracts biometric characteristics from a sample and analyzes them to predict the value of a target attribute.
Examples of biometric classification include predicting an individual’s gender, age, or degree of fatigue from an image of their face, whether a set of keystroke patterns originated from a human or a bot, and the potential medical conditions associated with a DNA sequence.
While these uses of biometrics are not necessarily intended to identify individuals, the biometric characteristics involved may still consist of uniquely identifying information.
Biometric information
For the purposes of this guidance, biometric information is information about biometric characteristics that has been extracted from a biometric sample. In general, biometric information is personal information.Footnote 1
Biometric samples contain personal information that has the potential to be converted into biometric information. This information is not specifically ‘biometric’ information until it has been processed using a biometric system. Photographs, video recordings, and behavioural observations are, on their own, not necessarily biometric information. Information about human characteristics that is extracted from such sources and quantified into measurable terms is biometric information.
Sensitivity
Biometric information that can uniquely identify an individual is sensitive information, regardless of the context in which it is collected, used, or disclosed. This is because the information is stable over time, difficult to change, and innately linked with an individual’s identity.
Biometric information that is not capable of uniquely identifying an individual may or may not be sensitive, depending on the circumstances. For example, some biometric information might describe general characteristics that are shared by many people. This could include characteristics like eye colour, age markers, or very general behavioural patterns.
If this information is not capable of uniquely identifying an individual, then it is not automatically considered sensitive just because it is biometric. However, the information might still be sensitive for other reasons. For example, a fitness tracking device might collect some biometric information that is not uniquely identifying, but this information might still be sensitive if it can reveal information about an individual’s health or medical condition.
In general, institutions should treat biometric information as sensitive if:
- It is, or could readily be, combined with other information that would allow it to uniquely identify an individual;
- Its misuse could pose a high risk of harm to individuals; or
- It could reveal other categories of information that are considered sensitive (this could include, for example, medical information).
Biometric information may be sensitive in other circumstances as well. Although intended for private sector businesses subject to PIPEDA, the OPC’s interpretation bulletin on sensitive information may be helpful to federal institutions in understanding key elements of sensitivity.
Keep in mind that biometric information can be sensitive even if it is only used or retained for a brief period of time. For example, a facial detection system that assigns a unique numerical representation to a particular face when analyzing an image, can involve the collection of sensitive biometric information (the numerical representation of facial features), even if the system deletes the information within milliseconds.
Guidance
Lawful authority for collection, use, and disclosure
Among the first steps you must take when planning a biometric initiative is ensuring that your institution has lawful authority for the collection, use, and disclosure of biometric information.
Collection: Under the Privacy Act, government institutions can only collect personal information that relates directly to an operating program or activity of the institution. Obtaining an individual’s consent to collect personal information does not replace or establish authority for the collection of that information. Under subsection 5(2), institutions must also inform individuals of the purposes for which their personal information is being collected, with some exceptions.
Government institutions must collect personal information directly from individuals wherever possible, subject to certain exceptions.Footnote 2 If a biometric sample can be collected directly from an individual, an institution must not collect it indirectly from an alternative source, such as the internet or social media, unless it has obtained the individual’s authorization to do so or an exception applies.
Under subsection 5(3), the requirements for direct collection and informing individuals of the collection’s purpose do not apply where doing so would result in collecting inaccurate information or would defeat the purpose or prejudice the use for which the information was collected.
Use and disclosure: Under the Privacy Act, institutions must not use or disclose individuals’ personal information without their consent, unless one of the exceptions under sections 7 or 8 applies. Exceptions to the consent requirement include, for example, where an institution uses or discloses biometric information for the purpose for which it was originally collected, or for a use consistent with that purpose.
If you are relying on consent for use or disclosure, you must:
Explain key elements: Ensure that individuals have proper knowledge of how you will manage their personal information. The Treasury Board of Canada Secretariat’s (TBS) Directive on Privacy Practices (section 4.2.23) requires that consent processes explain key elements with potential impact on an individual’s privacy, including:
- the purpose of the use or disclosure;
- the type of biometric information involved;
- uses or disclosures not consistent with the original purpose if extending scope;
- any consequences of withholding consent; and
- any alternative options to consenting to the use or disclosure of biometric information.
Ensure that consent is meaningful: The OPC has developed guidance on obtaining meaningful consent. While it was developed for private-sector organizations, it can nonetheless be useful to federal institutions in ensuring that valid consent is obtained.
To help ensure that consent is meaningful, institutions should consider integrating their mechanism for obtaining consent into existing processes, such as enrolment for services or account set-up.
The process for obtaining consent should provide specific information about the biometric initiative, and this information should be communicated in a user-friendly manner at a time that is relevant to an individual’s decision. While biometric initiatives should also be described in an institution’s privacy policy, such a description, on its own, is generally insufficient to generate meaningful consent.
Institutions must use a form of consent that is appropriate in the circumstances. For initiatives involving biometrics, express consent is always preferred, which means that biometric information is not used or disclosed without an individual’s explicit knowledge and agreement.
Document the process: Institutions are required under section 4.2.24 of the Directive on Privacy Practices to ensure that consent is obtained in writing or is otherwise properly documented, including information such as the date and time of consent.
Institutions should provide alternative options: Wherever possible, individuals should be provided with alternatives to participating in a biometric program. Providing alternatives accommodates those who are reluctant to participate in a biometric system, as well as those who may not be able to participate in such systems, for example because of a disability.
CBSA’s use of commercial genetic genealogy in a deportation case
In an investigation into the Canada Border Services Agency’s (CBSA) use of genetic genealogy technology to attempt to determine the nationality of an individual subject to a removal order, the OPC found that the CBSA contravened section 5 of the Privacy Act by failing to obtain valid authorization from the individual for the indirect collection of his biometric information. The OPC determined that, since the CBSA did not provide the individual with key information about the terms of a third party genetic genealogy service provider, the individual was not fully aware of his rights as a DNA donor when authorizing the CBSA to collect his genetic information from that provider. The OPC therefore found that the CBSA had obtained invalid authorization from the individual.
Assessing privacy impacts
Institutions can help ensure that their collection of personal information is compliant with the Privacy Act by completing a privacy impact assessment (PIA) before launching an initiative. PIAs are a tool for helping to ensure that legal requirements are met and that privacy impacts are either addressed or minimized.
If an institution’s biometric initiative involves the collection, use, or disclosure of personal information as part of a decision-making process that directly affects an individual, then the institution must complete a PIA under the TBS Standard on Privacy Impact Assessment. The OPC has issued guidance for federal institutions on conducting a PIA to help institutions meet this requirement.
Keep in mind that biometric programs may have uneven effects on certain individuals or groups. Privacy risks for particular groups should be noted in the PIA, along with strategies for mitigating those risks.
Necessity and proportionality
Where the collection of personal information by federal institutions could impact individuals’ privacy rights, institutions should ensure that potential impacts are necessary and proportionate to the benefits gained. Limiting the collection of personal information to what is demonstrably necessary is a requirement under the TBS Directive on Privacy Practices (4.2.9).
The OPC encourages institutions to assess initiatives involving biometric information using the four-part test outlined below. The OPC has considered these criteria in reports of findings during investigations into federal institutions.Footnote 3
| (1) Necessity |
Institutions should demonstrate that their biometric program or initiative is necessary to meet a specific, legitimate, and defensible objective. They should be able to clearly explain how the use of biometrics is rationally connected to the government program or activity in question and record this rationale as part of the PIA process. In its PIPEDA interpretation bulletin, the OPC has determined that some purposes for collecting, using, and disclosing personal information by private sector organizations are inappropriate regardless of business objectives. These purposes are likely to be inappropriate in public sector contexts as well. They include biometric programs that are known or likely to cause significant harm, and programs involving profiling or categorization that leads to unfair, unethical, or discriminatory treatment. Institutions must always have a clearly established use for any biometric information they collect. Personal information must not be collected for a speculative or prospective purpose to be determined later. |
|---|---|
| (2) Effectiveness |
Institutions should ensure that the proposed biometric program or initiative will be effective in meeting the identified need. There should be a high degree of confidence that the biometric program will be effective and reliable, as a whole. As well, there should be a clear plan for how to measure the effectiveness of the program. The program must be designed to effectively fulfill the purpose for which it is deployed. Institutions should consider the scientific and technical validity of the method or process, the accuracy of the technology and error rates, and the risk that the biometric technology could be compromised or circumvented. |
| (3) Minimal intrusiveness |
Institutions should assess whether there are less intrusive means of achieving the objective that do not involve the collection, use, or disclosure of biometric information. Is there evidence that other, less privacy intrusive means cannot achieve the same objective at comparable cost and with comparable benefits? In general, biometrics should not be used solely out of convenience for the institution deploying them if there are more privacy protective alternatives available. Consider what steps can be taken to reduce privacy intrusion as much as possible. This includes consideration of whether biometrics of a less sensitive nature could be employed or whether there are ways to limit the role of biometrics in the proposed program. |
| (4) Proportionality |
Institutions should assess whether the biometric program or initiative’s impact on privacy is proportional to the benefits gained. Is the gain in the effectiveness, cost, or operational benefits proportional to the increased level of intrusion over a non-biometric alternative? Initiatives that involve the collection, use, and disclosure of biometric information, can have significant impacts on privacy. For these impacts to be proportional, the benefits of an institution’s biometric program must be commensurately high. Institutions should ensure that biometric programs are also proportional in their design — meaning that the program is narrowly scoped, as opposed to broad, general, and undefined. Biometric programs that are designed to rely on the analysis of large volumes of biometric information are more likely to have a disproportionate impact on privacy than those that rely on targeted and specific collections and uses. |
Limiting Collection
Under the TBS Directive on Privacy Practices (section 4.2.9), institutions must limit the collection of personal information to what is demonstrably necessary for the program or activity.
You Must:
Use the minimum number of biometric characteristics needed: This includes both the amount of a single characteristic, and the combination of characteristics. For example, if the purpose can be achieved by using points from a single fingerprint — keeping in mind accuracy considerations, addressed below — then fingerprints should not be collected from the entire hand, or be used in conjunction with other biological or behavioural biometrics.
You Should:
Use verification over identification, where possible: Verification is based on a one-to-one match with an individual’s biometric information, which can limit what is needed for identification to achieve accurate results, and therefore what an institution needs to collect. Before using an identification system, institutions should consider whether their objective can be met by using a verification system instead.
Seek to keep the template in the individual’s control: There are different biometric template formats that vary in how much control they provide to the individual. Institutions should strive to keep biometric templates in the individual’s control so long as that is the most secure option that allows them to achieve their identified purpose. For example, a template could be stored on a device or a portable token in an individual’s possession, such as a mobile phone. Creating large, centralized databases of biometric information should be avoided if alternatives are viable. In the event of a breach, centralized databases are vulnerable to a wider scope and magnitude of potential privacy impacts.
Limit its technical capability: As a design choice, institutions should consider biometric systems that do not contain additional features that enable broader collection of personal information than that required to fulfill their specific purposes.
Limiting Use, Disclosure, and Retention
Under the Privacy Act (section 7), biometric information must only be used for the purposes for which the information was obtained or compiled, or for a use consistent with that purpose, subject to certain exceptions. This applies both to biometric information in a database and to biometric samples collected from an individual.
Under section 8 of the Privacy Act, an individual’s biometric information must not be disclosed by an institution without their consent, except in the circumstances outlined in subsection 8(2).
You Must:
Not extract secondary information unless authorized by law: Some biometric information can reveal secondary information, such as that related to health, ethnicity, or biological relationships. Institutions must not analyze biometric information to extract such additional information unless the purpose for doing so is consistent with the purposes for which the information was collected, or is otherwise authorized under subsection 8(2) of the Privacy Act.
Limit disclosure: Biometric information can only be disclosed if an individual gives consent, or if an exception applies under subsection 8(2) of the Privacy Act. This requirement also applies to any biometric information that is disclosed incidentally in the course of an institution’s information-sharing activities.
Privacy Act Report of Findings:
In the OPC’s investigation into the CBSA’s use of genetic genealogy technology, we found that the CBSA contravened section 8 of the Privacy Act when it disclosed genetic information about an individual to other users of a third party genetic genealogy service provider. After the CBSA disclosed the individual’s genetic information to the third party provider, information about the individual’s potential ethnicity was made available to other users of the commercial platform. Since the incidental disclosure of this information to other users was made without a clear purpose, an exception to the requirement to obtain the individual’s consent did not apply under paragraph 8(2)(a).
You Should:
Keep a tight circle: Institutions should use a biometric system that does not disclose information to third parties unless there is a specific operational reason for doing so that is authorized by law. In systems where the sharing of biometric information with others is required, the parties with whom it is shared and the information that is shared should be limited to what is necessary to fulfill the purpose. Institutions must ensure that lawful authority exists for every disclosure, regardless of the context in which it is disclosed. Refer to the accountability section in this guidance to learn more about an institution’s responsibilities in ensuring that third parties do not misuse information that is shared with them.
De-link across systems: Institutions should ensure that the biometric system provider does not link data across different implementations of the system, unless doing so is necessary for the purpose. Institutions should also ensure that databases of biometric information used for one purpose are not linked with personal information that is not needed for that purpose unless there is a clear legal justification for doing so.
Limit retention: Biometric information should only be kept for a period that is necessary to fulfill the stated purpose and any legal obligations, after which it should be permanently destroyed from all locations, including devices, cloud storage, and back-ups. This applies as well to biometric information that is collected, used, or retained by a third party operating on your behalf.
In general, institutions are required to retain personal information for at least two years after it has been used for an administrative purpose in order to allow the concerned individual a reasonable opportunity to access the information, unless the individual consents to its disposal earlier. Additional considerations may include access to information retention schedules, and information management requirements for information of business value.
Distinguish retention of biometric information from that of other personal information: Biometric information serves a specific purpose and its retention should be distinguished from that of other personal information. Where biometric information is linked with associated personal information (for example, a name, date of birth, or biometric sample), separate retention schedules should be used if the other personal information is needed for a different period of time than the biometric information.
Destroy biometric samples when not needed: Source data for biometric processing (for example, photographs or videos) that is collected for the purpose of creating a biometric template should be destroyed if it is no longer needed for operational or legal compliance purposes after the template has been created. In some cases, it may be necessary to retain biometric samples after a template is created in order to allow for system testing, human review, or system updates.
Delete biometric information upon request: Where legal and operational circumstances allow it, if an individual withdraws consent for the use of biometric information, institutions should delete all the biometric information that they have collected about the individual, including any personal information created using analysis of that biometric information. Institutions should also request the same from third parties with whom they may have shared the information.
Safeguards
Safeguarding refers to the implementation of measures to protect personal information against loss, theft, or any unauthorized access, use, disclosure, copying, or modification. As reflected in the Directive on Privacy Practices (section 4.2.31), government institutions must have adequate safeguards to protect against unauthorized use or disclosure of personal information.
Biometric information, like other types of personal information, is not immune to privacy breaches (“breaches”).
Biometric technology itself might also be used to safeguard other personal information. When used this way, biometrics are vulnerable to spoofing attacks, where false information is presented to fool a biometric system. Deep learning and neural network technology can be used to create convincing fabrications of an individual’s biometric information to thwart identification technology. The rising use of deepfakes, voice synthesis, and other impersonation techniques using biometric information could also be used to compromise individuals’ accounts or identity.
You Must:
Use physical, administrative, and technical measures to safeguard against the different ways a breach could occur. Specific security vulnerabilities can vary depending on the biometric technology being used and the way information is collected, used, and disclosed. For example, fingerprints can leave latent marks that can be lifted by malicious actors, and some forms of biometric technology may be easier to spoof than others.
Review and update security measures regularly to ensure that these measures address evolving security threats and vulnerabilities, including risks specific to the institution’s choice of biometric technology.
Control system access: Only make biometric information accessible to those employees who truly need it in the context of their work. Institutions should implement a permission system to review requests and grant access.
Monitor and document system access: Under the TBS Directive on Privacy Practices (section 4.2.32), institutions must adopt appropriate measures to monitor and document access to biometric information. Institutions should maintain records of access to biometric systems. Depending on the use of biometrics, institutions should consider implementing an anomaly detection system that automatically notifies system administrators of unusual activity that could indicate a security breach.
Report breaches: When sensitive biometric information is subject to a privacy breach, there is a high likelihood that the breach could meet the threshold of a material privacy breach. A material breach is one that could reasonably be expected to create a real risk of significant harm to an individual. Any breach that rises to the level of a material privacy breach must be reported to the OPC and TBS.
You Should:
Use biometric systems that are privacy protective by design: Whether an institution develops a biometric system in-house or uses technology supplied by a third party service provider, they should ensure that the system that is used has privacy protections built in by design. If an institution uses a third party service provider, they should understand the security risks involved and the mitigation strategies put in place by prospective technology suppliers.
Consider the following design features when developing or choosing a biometric system:
- Cancellable biometrics: These are biometric templates that distort data to prevent it from being converted back into the original biometric information. This allows multiple templates to be associated with the same biometric data, so that templates can be revoked (like a password) if they are compromised. The template can also be unlinkable, so that different biometric templates belonging to a single individual cannot be linked together. Institutions should also consider making the format of biometric templates unique to their biometric system, such that it cannot be used by others.
- Privacy Enhancing Technologies: For some uses of biometrics, methods such as homomorphic encryption can be used to conduct biometric matching without needing to decrypt the biometric template. Read our blog post on homomorphic encryption for more information.
- Encryption: End-to-end encryption technology can be used to secure biometric information throughout all stages of its lifecycle, including its storage but also its transmission.
Conduct testing and vulnerability assessments: Institutions or a qualified third party should assess the vulnerability of their biometric system to ensure that safeguards continue to be effective over time, and to identify vulnerabilities. The testing should include variables that depend both on the system’s design and installation, and the known vulnerabilities of the chosen form of biometric technology.
In the course of its investigations, the OPC has recommended that institutions protecting significant volumes of sensitive personal information conduct regular penetration testing annually (at a minimum). This includes comprehensive external (that is, independent) penetration testing, as well as annual comprehensive internal assessments of the security of their online services.Footnote 4
Accuracy
Biometric systems are often used to make administrative decisions about an individual, such as to receive a service to which they are entitled. As a result, false positives and negatives can have significant consequences for an individual, including the potential violation of their human rights.
Under the Privacy Act, government institutions are required to take all reasonable steps to ensure that any personal information that they use for an administrative purpose is as accurate, up-to-date, and complete as possible. Further obligations are outlined in the TBS Directive on Privacy Practices (section 4.2.25), including requirements to validate the accuracy of personal information collected indirectly.
You Must:
Choose a technology with suitable accuracy rates: Some biometric technologies are more accurate than others. For example, systems based on morphological biometrics can result in higher accuracy rates than behavioural biometrics when used for recognition. While many biometric systems have low error rates, a small number of errors can become significant when the system is scaled up. The impact of inaccuracies can also depend on the nature and significance of the decisions being made. It is an institution’s responsibility to ensure conformity with relevant accuracy standards,Footnote 5 and to choose biometric systems with error rates that are appropriate and acceptable in the circumstances. In general, the accuracy of an institution’s biometric system should be higher when the consequences of errors for individuals are greater.
Minimize performance discrepancies across socio-demographic groups: The accuracy and effectiveness of biometric technologies can vary depending on race, gender, age, and other characteristics. Institutions are responsible for ensuring that their use of biometrics does not discriminate between groups of individuals in ways that are contrary to human rights law.
You Should:
Test before going live: Biometric systems can perform differently in real-world conditions than in laboratory testing environments. Institutions should test their biometric system on operationally relevant data to ensure that it is sufficiently accurate for their purpose before going live with their program or initiative. This includes testing for variation in system performance across different demographic groups to help minimize the risk of bias. This testing should be done by an individual or entity with appropriate expertise.
Institutions must meet all privacy obligations relating to their use of biometrics during testing, even if an initiative has not yet launched. This includes obligations to ensure that there is lawful authority for any collection, use, or disclosure of biometric information.
Institutions should avoid relying exclusively on claims of accuracy from a biometrics technology vendor to ensure that their use meets accuracy obligations. Where possible, vendor information and internal testing should be supplemented with the results of independent expert research and testing.
Monitor consistently: Minor changes in environmental factors can affect the accuracy of biometric systems. For example, changes in ambient lighting or camera positioning can affect the accuracy of facial recognition systems. Similarly, changes in the technology itself can impact system accuracy, for example following software updates provided by a system vendor. It is therefore important that institutions test the accuracy of their biometrics systems regularly and make any necessary adjustments on an ongoing basis to ensure that accuracy obligations continue to be met.
Generally, the use of biometric information to test or ensure that a vendor’s biometric system is functioning for its intended purpose is a use that is consistent with that purpose.
Develop a procedure for handling false matches: Biometric systems cannot ensure 100% accuracy. Institutions should therefore be prepared for situations in which their system provides false positives, false negatives, or non-matches. Where these situations arise, institutions should offer an alternate identifier in a timely manner, resolve the issue for impacted individuals, take steps to ensure that the issue does not recur, and ensure that such errors do not result in systemic biases.
Accountability
Institutions are responsible for the personal information under their control. Accountability is delineated in the Privacy Act and through the PIA process and supporting policy instruments, notably the Policy on Privacy Protection and Directive on Privacy Practices.
Institutions are also responsible for their disclosure of personal information to other organizations, including other public institutions and private sector entities. Such disclosures must be made in accordance with requirements set out by the Directive on Privacy Practices, including the requirement to establish a contract, information-sharing agreement, or information-sharing arrangement before disclosing personal information (section 4.2.33). Further guidance is available from TBS on Preparing Information Sharing Agreements Involving Personal Information and Taking Privacy into Account Before Making Contracting Decisions.
You Must:
Ensure accountability for third party service providers: Before entering into a business relationship, institutions must do their due diligence to ensure accountability of third party service providers and that they are acting lawfully. If these parties are providing access to a database of biometric information, institutions have a duty to ensure that both the original collection and their use of the information would be in accordance with privacy laws. This equally applies to partnerships entered into with other government institutions.
If an institution subcontracts parts of their biometric program, they must ensure that the subcontractor meets the Privacy Act obligations to which the institution is subject and that the subcontractor does not use personal information handled on the institution’s behalf for its own purposes.
Institutions that are considering contracting with a private-sector organization should refer to the TBS guidance document “Taking Privacy into Account Before Making Contracting Decisions”. This includes information about the “invasion-of-privacy test”, where the biometrics initiative will be assessed based on the sensitivity of the information, the expectations of the individual, and the probability and potential gravity of harm.
Institutions must also meet obligations for contracting with third parties set out in the TBS Directive on Privacy Practices (section 4.2.33).
Privacy Act Report of Findings
In the OPC’s investigation into the RCMP’s use of Clearview AI’s services, we found that the RCMP failed to take any active steps to verify the legality of the collection of the information of Canadians from Clearview. We also found that the RCMP is obligated to inform itself of the lawfulness of the collection practices of partners from whom they collect personal information.
Formalize your relationship with other partners: This includes the use of contracts with private-sector biometrics service providers, and entering into Information Sharing Agreements with other institutions with whom biometric information is shared or received.
Assess whether your biometric activity is subject to the Directive on Automated Decision-Making: If an institution uses biometrics to make automated decisions about an individual, they should refer to the Directive on Automated Decision-Making and check whether they need to complete an Algorithmic Impact Assessment.
Develop robust breach response plans: The TBS Directive on Privacy Practices (section 4.1.4) requires institutions to be prepared for privacy breaches and sets out mandatory procedures to follow in the event of a breach, including requirements to report the breach and maintain records. To be prepared for a breach scenario, institutions should develop robust, efficient, and detailed procedures related to reporting mechanisms and any remedial actions to be taken. These procedures must contemplate all parties’ roles and responsibilities if there are third parties or multiple departments involved in the biometric initiative. The OPC has developed guidance for responding to a privacy breach for government institutions.
You Should:
Consult privacy leaders and stakeholders: Institutions should seek input and advice from subject matter experts and privacy leaders within their institution when developing initiatives involving biometrics. This may include, for example, privacy management teams, their ATIP office, and their Chief Privacy Officer. To the extent that the use of biometrics might impact fundamental rights of individuals, institutions should consider consulting appropriate stakeholder representatives external to their organization to better understand the risks involved and to inform strategies for reducing harm.
Integrate the ability to audit contractors: Where biometrics are concerned, organizations should integrate the right to audit and inspect how the third party handles personal information into the contract and include measures to address non-compliance.
Establish a rigorous governance framework: Institutions should put in place a comprehensive governance framework for their use of biometrics that includes internal accountability measures for accessing and using biometric information. They should also implement regular assessments to ensure ongoing compliance with privacy requirements, including systematic verifications that extraneous data is not collected and that biometric information is appropriately retained and destroyed.
Provide employees with proper knowledge and support: Institutions should ensure that employees who are responsible for managing biometric information are provided with the proper training, guidance, and supervision to perform their duties.
Set conditions for pausing use: Before going live with the use of biometrics, institutions should define circumstances in which they will stop or suspend use of the technology. These may include indicators of effectiveness or accuracy that do not meet expectations, as well as circumstances relating to unauthorized access or use of the technology.
Demonstrate accountability: Institutions should stand ready to demonstrate their compliance with applicable privacy law(s) to regulators. They should be ready to show records such as how the system was designed, and the steps taken to ensure that it was protective of privacy.
Consider consulting the OPC: If an institution is unsure about their biometric program, they may consider contacting the OPC’s Promotion and Engagement Directorate to request a consultation meeting.
Openness
Be open and transparent with individuals about how you manage personal information. The Directive on Privacy Practices (section 4.2.20) requires that individuals whose personal information is collected be directly notified of key information relating to the initiative.
You Must:
Provide a privacy notice: Directly notify the individual whose biometrics are collected of the purpose and authority of collection, any uses or disclosures consistent with the original purpose, any legal or administrative consequences for refusing to provide biometrics, the rights of access, correction and protection, and the Personal Information Bank (PIB) described in Info Source.
Inform individuals about their ability to complain to the OPC: Your privacy notice must include information about the right of individuals to submit a complaint to the OPC with their privacy concerns.
Conduct public reporting: All biometric information holdings under your control must be accounted for in your public reporting of PIBs and classes of personal information. This includes Info Source and in your PIB descriptions. The inventory descriptions must contain sufficient clarity and detail to facilitate the exercise of the right of access under the Privacy Act.
Notify the OPC of all new consistent uses: Under subsection 9(4) of the Privacy Act, institutions must notify the OPC if they use biometric information for consistent uses that are not reflected in a PIB.
You Should:
Be transparent about legal obligations: You should communicate to individuals up-front, where possible, about situations where you are unable to delete personal information upon request based on other legal obligations. You should also explain this in response to any deletion request, citing the relevant legal provision.
Publish program-level explanations: In addition to the privacy notice, you should publish program-level information about your use of biometrics on your institution’s website or in another readily accessible format, in the spirit of being open with individuals and fostering public trust. This should include, where appropriate, an explanation of how the biometric system functions, an overview of what information is collected and how it is used, a description of steps taken to mitigate bias and inaccuracy, and a description of any internal policies relating to the circumstances in which individuals’ biometric information is collected, used, and disclosed.
You should also publish, on an annual basis, program level metrics about your institution’s use of biometrics, unless doing so is inconsistent with operational circumstances. This should include information about the number of individuals whose biometric information is collected, and indicators of the effectiveness of the biometric system (for example, rates of known false positives, number of positive matches, etc.).
Explain automated decisions: Be prepared to provide individuals who may be subject to an automated decision using biometrics with information about key details of the biometric system and its use. This should include what biometric information is used to make a decision, how it was collected, and the principal factors behind the decision. For further information about institutions’ obligations relating to automated decisions, see the TBS Directive on Automated Decision Making (section 6.2.3).
The OPC welcomes organizations and the public to provide feedback on this guidance. Please send any comments or questions about the guidance to retroactionpolitique-policyfeedback@priv.gc.ca.
- Date modified: