Guidance for processing biometrics – for businesses
Published: 2025
Target Audience: Private-Sector Organizations
Authority: Personal Information Protection and Electronic Documents Act
Issued: Office of the Privacy Commissioner of Canada
Status:
| Public consultation | Analyzing feedback | Adopted guidance |
On this page
Overview
In today’s digital environment, organizations are looking to facilitate more efficient access to goods and services while adapting to evolving security risks. Biometrics have emerged as one way to achieve this objective by using individuals’ unique traits to identify or authenticate them. They are often viewed as a solution in a world where individuals are increasingly asked to create and remember different passwords, and to prove their identity.
With the promise of biometrics, however, come serious concerns about privacy. Biometric information is intimately linked to an individual’s body and is often unique, unlikely to vary significantly over time, and difficult to change in its underlying features. Biometric information can be an enabler of surveillance, and if breached, could expose individuals to fraud and identity theft. It can also reveal sensitive information about an individual’s life, including personal traits, health information, and information about characteristics such as race, disability, gender, and biological family relationships. Challenges with the accuracy of some biometric technologies have been documented, which is of further concern when they are used to make automated decisions about individuals.
This document provides guidance to organizations on their privacy obligations when handling biometric information. Note that while it addresses some of the main considerations, organizations remain responsible for understanding all of their obligations under applicable laws and regulations. For example, the province of Quebec has imposed a requirement for reporting to the Commission d’accès à l’information du Québec for processes involving biometric information.
Biometric technology
“Biometrics” refers to the quantification of human characteristics into measurable terms. Biometric technologies are used for a variety of purposes, including recognition and classification, which are explained below.
There are two main types of biometric technologies:
- Physiological biometrics involve morphological (body shape or structure) or biological characteristics of an individual that are relatively stable over time. Examples include fingerprints, iris patterns, facial geometry, and DNA.
- Behavioural biometrics involve distinctive characteristics of individuals’ movements, gestures, or motor skills. Examples include keystroke patterns, gait, voice, and eye movement.
These biometric characteristics can be captured and analyzed using a biometric system. Biometric systems work by extracting features from biometric samples, which are data that contain representations of biometric characteristics in an unprocessed form. Examples of biometric samples include a photograph of an individual’s face, a recording of their voice, or a sample of their DNA. Samples can be inputted into the biometric system manually (for example, by uploading an image to the system) or automatically (for example, by using software to record a user’s keystroke patterns on a computer).
Once a sample has been inputted into the system, biometric characteristics are extracted by converting data from the sample into a format that can be analyzed for a specific purpose. This often involves the creation of a biometric template, which is a format for representing sets of extracted biometric characteristics for further analysis. The process of extracting and analyzing or comparing templates is typically performed using specialized software designed for that purpose.
Biometric recognition
A common use for biometric technology is recognition. When used for this purpose, the biometric system is configured to compare a template from one biometric sample (often called a “probe” template) with one or more templates extracted from other biometric samples. The system then estimates the probability that two or more templates “match” — that is, correspond with the same individual.
- In verification uses, the probe template is compared with only one other template, to determine whether both pertain to the same individual. For this reason, verification is sometimes referred to as a “one-to-one” comparison.
- In identification uses, the probe template is compared with multiple other templates, to determine whether it corresponds with any of them. For this reason, identification is sometimes referred to as a “one-to-many” comparison.
Recognition systems typically involve enrolling individuals’ templates into a reference database for comparison with other templates. In verification uses, the reference database consists of only one reference template. In identification uses, it consists of multiple templates. In identification uses, the reference database often contains additional identifying information about the individual, such as their name.
Examples of recognition include the use of a fingerprint to gain access to a building, the use of a facial image to unlock a phone, and the use of DNA to identify an individual. In all these cases, probe templates are compared with one or more reference templates to estimate the probability of a match. If the probability is sufficiently high, then the match may be considered confirmed for the purposes of that system.
Biometric classification
An emerging area of biometric technology involves the estimation of certain personal attributes of individuals, such as their age or gender, based on their biometric characteristics. This is commonly referred to as “biometric classification.” When used this way, the biometric system extracts biometric characteristics from a sample and analyzes them to predict the value of a target attribute.
Examples of biometric classification include predicting an individual’s gender, age, or degree of fatigue from an image of their face, whether a set of keystroke patterns originated from a human or a bot, and the potential medical conditions associated with a DNA sequence.
While these uses of biometrics are not necessarily intended to identify individuals, the biometric characteristics involved may still consist of uniquely identifying information.
Biometric information
For the purposes of this guidance, biometric information is information about biometric characteristics that has been extracted from a biometric sample. In general, biometric information is personal information.Footnote 1
Biometric samples contain personal information that has the potential to be converted into biometric information. This information is not specifically ‘biometric’ information until it has been processed using a biometric system. Photographs, video recordings, and behavioural observations are, on their own, not necessarily biometric information. Information about human characteristics that is extracted from such sources and quantified into measurable terms is biometric information.
Sensitivity
Biometric information that can uniquely identify an individual is sensitive information, regardless of the context in which it is collected, used, or disclosed. This is because the information is stable over time, difficult to change, and innately linked with an individual’s identity.
Biometric information that is not capable of uniquely identifying an individual may or may not be sensitive, depending on the circumstances. For example, some biometric information might describe general characteristics that are shared by many people. This could include characteristics like eye colour, age markers, or very general behavioural patterns.
If this information is not capable of uniquely identifying an individual, then it is not automatically considered sensitive just because it is biometric. However, the information might still be sensitive for other reasons. For example, a fitness tracking device might collect some biometric information that is not uniquely identifying, but this information might still be sensitive if it can reveal information about an individual’s health or medical condition.
In general, you should treat biometric information as sensitive if:
- It is, or could readily be, combined with other information that would allow it to uniquely identify an individual;
- Its misuse could pose a high risk of harm to individuals; or
- It could reveal other categories of information that are considered sensitive (this could include, for example, medical information).
Biometric information may be sensitive in other circumstances as well — consult the OPC’s interpretation bulletin on sensitive information for further information.
Keep in mind that biometric information can be sensitive even if it is only used or retained for a brief period of time. For example, a facial detection system that assigns a unique numerical representation to a particular face when analyzing an image can involve the collection of sensitive biometric information (the numerical representation of facial features), even if the system deletes the information within milliseconds.
Guidance
Identifying an appropriate purpose
Among the first steps you must take when planning your biometric initiative is specifying the purpose you are trying to achieve. You must then evaluate whether the purpose is appropriate in the circumstances. The purpose must be appropriate even if an individual consents to the collection, use, or disclosure of their biometric information for that purpose.
Appropriateness requires a contextual assessment. To guide this assessment, you should evaluate and adjust the proposed biometric program using the criteria below.Footnote 2
The OPC has determined that some purposes for collecting, using, and disclosing personal information are generally considered inappropriate. These include purposes that are known or likely to cause significant harm and those involving profiling or categorization that leads to unfair, unethical, or discriminatory treatment. Before proceeding, you should ensure that your use of biometrics does not fall into one of the OPC’s “no-go zones.”
Do not use biometrics if you are uncertain whether it would be appropriate in the circumstances. If your organization cannot explain how your collection, use, or disclosure of biometric information meets the criteria below, the initiative should not go forward.
| Legitimate need |
Your purpose for collecting, using, or disclosing biometric information must represent a legitimate need. In other words, your organization must have a reason to use biometric information that is clearly articulated and connected to the pursuit of a bona fide business interestFootnote 3. You must always have a clear use for any biometric information you collect. Personal information must not be collected for a speculative or prospective purpose to be determined at a later date. |
|---|---|
| Effectiveness |
Ensure that the proposed biometric program or initiative will be effective in meeting the purpose you have identified. There should be a high degree of confidence that the biometric program will be effective and reliable as a whole, and there should be a clear plan for how to measure the effectiveness of the program. The program must be designed to effectively fulfill the purpose for which it is deployed. Consider the scientific and technical validity of the method or process, the accuracy of the technology and error rates, and the risk that the biometric technology could be compromised or circumvented. |
| Minimal intrusiveness |
Assess whether there are less intrusive means of achieving the purpose that do not involve the collection, use, or disclosure of biometric information. Is there evidence that other, less privacy intrusive means cannot achieve the same objective at comparable cost and with comparable benefits? In general, biometrics should not be used solely out of convenience for the organization deploying them if there are more privacy protective alternatives available. Consider what steps can be taken to reduce privacy intrusion as much as possible. This includes consideration of whether biometrics of a less sensitive nature could be employed or whether there are ways to limit the role of biometrics in the proposed program. |
| Proportionality |
Assess whether the biometric program or initiative’s impact on privacy is proportional to the benefits gained. Is the gain in the effectiveness, cost, or operational benefits proportional to the increased level of intrusion over a non-biometric alternative? Initiatives that involve the collection, use, and disclosure of biometric information can have significant impacts on privacy. For these impacts to be proportional, the benefits of your biometric program must be commensurately high. Ensure that the biometric program is also proportional in its design — meaning it is narrowly scoped as opposed to broad, general, and undefined. Biometrics programs that are designed to rely on the analysis of large volumes of biometric information are more likely to have a disproportionate impact on privacy than those that rely on targeted and specific collections and uses. The implementation of technical and other protective measures is an important factor in mitigating the privacy impacts of using biometrics, but adequate safeguards alone cannot render a collection, use, or disclosure of biometrics appropriate. |
The OPC has applied these criteria to biometric initiatives in previous reports of findings, which may be informative for completing your own appropriate purposes assessment:
PIPEDA Report of Findings #2022-003
We found Rogers’ VoiceID program, which uses voice biometrics to authenticate account holders who phone Rogers’ customer support line, to be an effective solution to address Rogers’ legitimate need for account authentication and security in the context of the high-threat environment facing telecommunication service providers. The program presented limited identification risks when compared to other biometric solutions, and was designed with a number of limitations, safeguards, and controls to mitigate privacy impacts.
PIPEDA Report of Findings #2021-001
In our joint investigation of Clearview AI with the Commission d’accès à l’information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information and Privacy Commissioner of Alberta, we determined that the company’s online scraping of images and associated creation of biometric facial recognition arrays represented mass identification and surveillance of individuals. We therefore found Clearview’s purposes to be inappropriate, particularly where they: (i) were unrelated to the purposes for which those images were originally posted; (ii) would often be to the detriment of the individual whose images are captured; and (iii) created the risk of significant harm to those individuals, the vast majority of whom have never been and will never be implicated in a crime.
PIPEDA Report of Findings #2008-389
This investigation examined the collection and use of fingerprint data from participants writing a standardized admission test for law school, and the findings were centred around questions based in the above criteria. In this case, the use of fingerprint data was found not to be proportional to the benefit gained, and therefore not appropriate.
Consent
Once you have determined that the purpose of your biometric initiative is appropriate in the circumstances, you need to assess how to obtain valid consent from individuals. Consent is a foundational element of PIPEDA, and is required for the collection, use, and disclosure of personal information, including biometric information, subject to limited exceptions.
A critical element of obtaining consent is ensuring that individuals have proper knowledge of how your organization will manage their personal information. For consent to be valid or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner.
You Must:
Use an appropriate form of consent: If your use of biometrics involves sensitive information, as a general rule, express consent would be the appropriate form of consent for the collection, use, or disclosure of that information, including biometric templates. Express consent means that biometric information is not collected, used, or disclosed without an individual’s explicit knowledge and agreement.
There are other circumstances in which express consent must be sought, even if the information is not sensitive. The OPC has developed guidance on obtaining meaningful consent that provides assistance for ensuring that valid consent is obtained in the appropriate form.
Ensure that consent is valid: Consent is only valid if it is reasonable to expect that an individual would understand the nature, purpose, and consequences of your collection, use, or disclosure of their biometric information. While you must make a description of your privacy practices readily available to individuals, for example in a privacy policy, such a description on its own may be insufficient to generate valid consent.
To help ensure that consent is valid, you should consider integrating your mechanism for obtaining consent into existing processes, such as enrolment or account set-up. Your process for obtaining consent should provide specific information about your biometric initiative, and this information should be communicated in a user-friendly manner at a time that is relevant to the individual’s decision.
In general, the following information should be included, although it may be appropriate to include further information depending on the circumstances:
- the type of biometric information collected;
- the purpose for the collection, use, or disclosure of that information;
- the parties to which the information is disclosed;
- any meaningful risks of significant harm that remain despite the organization’s efforts at risk mitigation.
For example, if an organization is collecting voiceprints from callers to its customer support line, a generic statement like “this call may be recorded for identification purposes” would generally not be sufficient to obtain valid consent, as it does not address the key elements outlined above.
Similarly, obtaining consent to collect photos or videos of an individual does not automatically allow you to extract biometric information from such sources. You must specify separately and explicitly that biometric information will be collected, used, or disclosed.
PIPEDA Report of Findings #2022-003
In our investigation of Rogers’s use of VoiceID, we found that the company: (i) undertook the “tuning” process, which involved biometric collection, without first obtaining valid consent; and (ii) had not implemented adequate protocols and associated monitoring to ensure that express consent was consistently obtained for enrolment. We further determined that Rogers did not provide a clearly explained and easily accessible option for individuals to later opt out of the collection and use of their voiceprint.
PIPEDA Report of Findings #2020-004
In an investigation conducted jointly with the Information and Privacy Commissioner of Alberta and the Information and Privacy Commissioner for British Columbia, we found that Cadillac Fairview (CFCL) used cameras in its directory kiosks at its shopping malls to collect and use images of faces, numerical representations of each face, and an assessment of age-range and gender, without valid consent. Given the sensitive data in question, and the fact that a visitor would not reasonably expect their image or biometric data to be collected by an inconspicuous camera while searching a mall directory, we found that express consent was required. While decals posted at mall entrances indicated that video recordings would be used for “safety and security” purposes and referenced the company’s privacy policy, these were not adequate to support meaningful consent; they did not explain the full scope of the purposes for which facial images would be used.
Consider whether biometrics are a condition of service: Under PIPEDA Principle 4.3.3, organizations can only require consent as a condition of service when the collection, use, or disclosure of personal information is integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. Otherwise, for non-integral and non-essential collections, uses, and disclosures, organizations must give individuals a choice — which means making biometrics voluntary.
Provide alternative options, where required: Where biometric technology is used for non-integral or non-essential collections, uses, or disclosures, you must provide individuals with other means of access or participation. Communicate these options to individuals, and do not create obstacles that would hinder access to such alternatives. Providing alternatives also accommodates those who are reluctant to participate in a biometric system, as well as those who may not be able to participate in such systems, for example because of a disability.
Ensure that any collection from third parties is lawful: Where collecting biometric information from third parties is appropriate, organizations must ensure that they have legal authority to do so. As a best practice to help meet this obligation, you should assure yourself of PIPEDA compliance at every step of the data flow, from initial collection by the third party to disclosure and subsequent use by you. Where consent is required, your organization should work with the third party to design means to obtain valid consent from individuals covering both that third party’s disclosure and your collection and use.
Do not assume that information is “publicly available”: An individual’s biometric information may be observable in public, but that does not mean that it is necessarily exempt from consent requirements. Under paragraph 7(d) of PIPEDA, exceptions to consent for publicly available information are only applicable to limited classes of information, as outlined in the Regulations Specifying Publicly Available Information.
PIPEDA Report of Findings #2018-002
The OPC investigated Profile Technology Ltd., a company that reused millions of Canadians’ Facebook user profiles without their consent. In that case, we found that the personal information available in individuals’ Facebook profiles did not meet the definition of a publication under the Regulations Specifying Publicly Available Information, such that its collection and use was not exempt from consent requirements.
Renew consent when extending scope: Any extension of the use of biometric information must not be undertaken without first obtaining the individual’s consent for that new use, unless a valid legal exception to consent applies. In this sense, organizations should not view consent as a one-time requirement, never to be revisited. On the contrary, ensuring the validity of consent is an ongoing process and consent may require renewal as circumstances change and as organizations innovate, grow, and evolve.
Limiting collection
Under PIPEDA Principle 4.4, you must limit the collection of personal information to that which is necessary for achieving your stated purpose.
You Must:
Use the minimum number of biometric characteristics needed: This includes both the amount of a single characteristic, and the combination of characteristics. For example, if you can meet your purpose by using points from a single fingerprint — keeping in mind Principle 6 of PIPEDA (Accuracy), addressed below — then you must not collect prints from the entire hand, or use prints in conjunction with other biological or behavioural biometrics.
PIPEDA Report of Findings #2010-007
In an investigation regarding the Medical College Admission Test (MCAT), the OPC concluded that there were less privacy-invasive means to meet the Association of American Medical Colleges’ (AAMC) purpose of preventing exam fraud. The AAMC agreed to limit the personal information that it collected, and to only collect and retain fingerprint information in a digital format, which was to be converted into unique digital templates composed of a string of alpha/numeric characters and held securely. The OPC was satisfied that this outcome effectively addressed concerns with respect to both privacy and AAMC’s need to protect the integrity of the high-stakes MCAT exam.
You Should:
Use verification over identification, where possible: Verification is based on a one-to-one match with an individual’s biometric information, which can limit what is needed for identification to achieve accurate results. Before using an identification system, you should consider whether your purpose can be met by using a verification system instead.
Seek to keep the template in the individual’s control: There are different biometric template formats that vary in how much control they provide to the individual. You should strive to keep biometric templates in the individual’s control so long as that is the most secure option that allows you to achieve your identified purpose. For example, you could store it on a device or a portable token in their possession, such as a mobile phone. You should avoid creating large, centralized databases of biometric information if alternatives are viable. In the event of a breach, centralized databases are vulnerable to a wider scope and magnitude of potential privacy impacts.
Limit its technical capability: As a design choice, you should consider biometric systems that do not contain additional features that enable broader collection of personal information than that required to fulfill your specific purposes.
Limiting use, disclosure, and retention
Under PIPEDA Principle 4.5, biometric information must only be used for the purposes for which the information was collected, with few exceptions. This applies both to biometric information in a database and to biometric samples collected from an individual. PIPEDA also identifies limited circumstances in which personal information can be disclosed without consent.Footnote 4
You Must:
Not extract secondary information without consent: Some biometric information can reveal secondary information, such as that related to health, ethnicity, or biological relationships. You must have consent to extract or analyze any secondary biometric information, unless an exception to consent applies under PIPEDA. Even if you obtain consent for the use, you must still ensure that the purpose of your use is appropriate.
Limit retention: Biometric information must only be kept for a period that is necessary to fulfill your stated purpose and any legal obligations, after which it must be permanently destroyed from all locations, including devices, cloud storage, and back-ups. This applies as well to biometric information that is collected, used, or retained by a third party operating on your behalf. In order to fulfill the stated purpose, it may sometimes be necessary to use or retain biometric information for a limited period of time to allow for system testing, human review, or verification of system updates.
In previous investigations involving biometric systems, the OPC found that the appropriate data retention period depends on the context. For fingerprint digital templates collected from test takers, for example, a period of five years was appropriate since this matched the validity of the test results.Footnote 5 For voiceprints collected from employees, retaining the biometric data for one month after the employee left the organization was found to be appropriate.Footnote 6
In our joint investigation of Cadillac Fairview, we found that MappedIn, a third party service provider acting on CFCL’s behalf, inappropriately retained numerical representations of individuals’ faces beyond the very brief period necessary to process their facial images with video analytics software. OPC noted that MappedIn and CFCL did not identify any reason for retaining this information.
You Should:
Keep a tight circle: You should use a biometric system that does not disclose information to third parties, unless there is a specific operational reason for doing so that is authorized by law. In systems where the sharing of biometric information with others is required, the parties with whom it is shared and the information that is shared must be limited to what is necessary to fulfill the identified purpose. Refer to the Accountability section in this guidance to learn more about your responsibilities in ensuring that third parties do not misuse information that you share with them.
De-link across systems: You should ensure that the biometric system provider does not link data across different implementations of the system. You should also ensure that databases of biometric information used for one purpose are not linked with personal information that is not needed for that purpose.
Distinguish retention of biometric information from that of other personal information: Biometric information serves a specific purpose and its retention should be distinguished from that of other personal information. Where biometric information is linked with associated personal information (for example, a name, date of birth, or biometric sample), separate retention schedules should be used if the other personal information is needed for a different period of time than the biometric information.
Delete biometric information upon request: If an individual withdraws consent for your use of biometric information, you should delete all the biometric information you have collected about them. This includes any personal information you have created using analysis of that biometric information, subject to legal or contractual restrictions and reasonable notice to the individual. You should also ensure that the same is done, to the extent possible, by any third parties with whom you have shared the information.
Safeguards
Safeguarding refers to the implementation of measures to protect personal information against loss, theft, or any unauthorized access, use, disclosure, copying, or modification. Under PIPEDA Principle 4.7, organizations are responsible for protecting personal information with security safeguards appropriate to the sensitivity of the information.
Biometric information, like other types of personal information, is not immune to breaches.
Biometric technology itself might also be used to safeguard other personal information. When used this way, biometrics are vulnerable to spoofing attacks, where false information is presented to fool a biometric system into providing a positive match. Deep learning and neural network technology can be used to create convincing fabrications of an individual’s biometric information to thwart identification technology. The rising use of deepfakes, voice synthesis, and other impersonation techniques using biometric information could also be used to compromise individuals’ accounts or identity.
You Must:
Use physical, organizational, and technical measures to safeguard against the different ways a breach could occur.
Specific security vulnerabilities can vary depending on the biometric technology being used and the way information is collected, used, and disclosed. For example, fingerprints can leave latent marks that can be lifted by malicious actors, and some forms of biometric technology may be easier to spoof than others.
Review and update security measures regularly to ensure that these measures address evolving security threats and vulnerabilities, including risks specific to your choice of biometric technology.
PIPEDA Report of Findings #2022-003
We noted in our Rogers’ Voice ID report of findings that voiceprints were well safeguarded. Voiceprints were stored in an encrypted and proprietary format on Canadian servers under Rogers’ control. Rogers confirmed that no third parties had access to the voiceprints for any purpose. Rogers further advised that access to the database was restricted to its Voice ID administration team, and that the voiceprints could not be used outside of their system. Our review of software documentation confirmed that FreeSpeech, a third-party software used in the Voice ID solution, was deployed by its customers and is not centrally managed, accessible to, or controlled by the third-party provider. Additionally, our review confirmed that voiceprints were signed using an encryption key unique to the specific instance of FreeSpeech, to protect against their use in other programs or in other FreeSpeech implementations.
Report breaches: When sensitive biometric information is subject to a privacy breach, there is a high likelihood that the breach will create a real risk of significant harm to affected individuals. Any breach of security safeguards involving biometric personal information must be reported to the OPC and to affected individuals if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual (section 10.1 of PIPEDA).
You Should:
Use biometric systems that are privacy protective by design: Whether you are developing a biometric system in-house or using technology supplied by a third-party service provider, you should ensure that the system you use has privacy protections built in by design. If you are using a third-party service provider, make sure you understand the security risks involved in your use of biometrics as well as the mitigation strategies put in place by prospective technology suppliers.
Consider the following design features when developing or choosing a biometric system:
- Cancellable biometrics: These are biometric templates that distort data to prevent it from being converted back into the original biometric information. This allows multiple templates to be associated with the same biometric data, so that templates can be revoked (like a password) if they are compromised. The template can also be unlinkable, so that different biometric templates belonging to a single individual cannot be linked together. You should also consider making the format of biometric templates unique to your biometric system, such that it cannot be used by others.
- Privacy Enhancing Technologies (PETs): For some uses of biometrics, methods such as homomorphic encryption can be used to conduct biometric matching without needing to decrypt the biometric template. For more information about homomorphic encryption, read our report.
- Encryption: End-to-end encryption technology can be used to secure biometric information throughout all stages of its lifecycle, including its storage but also its transmission.
PIPEDA Report of Findings #2011-012
In the case of the Graduate Management Admission Test palm-vein scanning technology, the OPC found that the palm-vein scans were immediately transformed into an encrypted binary template, which could not easily be applied to other purposes, and were stored separately from any other personal information about the test taker. This was found to be a suitable measure in managing this sensitive information in the circumstances.
Control and monitor system access: Only make biometric information accessible to those employees who truly need it in the context of their work. Consider having a permission system in place to review requests and grant access.
You should maintain records of access to biometric information to help ensure that employee uses are legitimate and to assist in detecting unauthorized access. Organizational privacy incidents, including employee snooping, should be thoroughly investigated.
Depending on your use of biometrics, consider implementing an anomaly detection system that automatically notifies system administrators of unusual activity that could indicate a security breach.
Conduct testing and vulnerability assessments: You or a qualified third party should assess the vulnerability of your biometric system to ensure that your safeguards continue to be effective over time, and to identify vulnerabilities. The testing should include variables that depend both on the system’s design and installation, and the known vulnerabilities of the chosen form of biometric technology.
In the course of its investigations, the OPC has recommended that federal government organizations protecting significant volumes of sensitive personal information conduct regular penetration testing annually (at a minimum). This testing should include comprehensive external (that is, independent) penetration testing, as well as annual comprehensive internal assessments of the security of their online services.Footnote 7
Accuracy
Biometric systems are often used to make decisions about an individual, such as to obtain access to certain locations, or receive a good or service to which they are entitled. As a result, false positives and negatives can have significant consequences for an individual, including the potential violation of their human rights.
Under PIPEDA Principle 6, personal information must be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used. This includes being sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
You Must:
Choose a technology with suitable accuracy rates: Some biometric technologies are more accurate than others. For example, systems based on morphological biometrics can result in higher accuracy rates than behavioural biometrics when used for recognition. While many biometric systems have low error rates, a small number of errors can become significant when the system is scaled up.
The impact of inaccuracies can also depend on the nature and significance of the decisions being made. It is your responsibility to ensure conformity with relevant accuracy standards,Footnote 8 and to choose biometric systems with error rates that are appropriate and acceptable in the circumstances. In general, the accuracy of your biometric system should be higher when the consequences of errors for individuals are greater.
Minimize performance discrepancies across socio-demographic groups: The accuracy and effectiveness of biometric technologies can vary depending on race, gender, age, and other characteristics. It is your responsibility to ensure that your use of biometrics does not discriminate between groups of individuals in ways that are contrary to human rights law.
You Should:
Test before going live: Biometric systems can perform differently in real-world conditions than in laboratory testing environments. You should test your biometric system on operationally relevant data to ensure that it is sufficiently accurate for your purpose before going live with your program or initiative. This includes testing for variation in system performance across different demographic groups to help minimize the risk of bias. Ensure that this testing is done by an individual or entity with appropriate expertise.
Keep in mind that you must meet all privacy obligations relating to your use of biometrics during testing, even if your initiative has not yet launched. This includes obligations to ensure that you have consent for any collection, use, or disclosure of biometric information.
You should avoid relying exclusively on claims of accuracy from a biometrics technology vendor to ensure that your use meets accuracy obligations. Where possible, supplement vendor information and your own testing with the results of independent expert research and testing.
Monitor consistently: Minor changes in environmental factors can affect the accuracy of biometric systems. For example, changes in ambient lighting or camera positioning can affect the accuracy of facial recognition systems. Similarly, changes in the technology itself can impact system accuracy, for example following software updates provided by a system vendor. It is therefore important that you test the accuracy of your biometrics system regularly and make any necessary adjustments on an ongoing basis to ensure that you continue to meet your accuracy obligations.
It is not always necessary to obtain separate consent to use biometric information for the purpose of ensuring that a vendor’s biometric system is functioning as intended. In general, such testing is a use that aligns with the primary purpose for which the information is collected, and therefore does not require separate consent over and above consent for the biometric system’s primary use. However, organizations should always account for whether their testing would be reasonably expected and appropriate in the particular context or goes beyond a purpose that aligns with the primary use and adjust their consent practices accordingly.
Develop a procedure for handling false matches: Biometric systems cannot ensure 100% accuracy. You should therefore be prepared for situations in which your system provides false positives, false negative, or non-matches. Where these situations arise, you should offer an alternate identifier in a timely manner, resolve the issue for impacted individuals, take steps to ensure that the issue does not recur, and ensure that such errors do not result in systemic biases.
Accountability
Under PIPEDA Principle 4.1, you are responsible for the personal information under your control.
You Must:
- Comply with all ten principles listed in Schedule 1 of PIPEDA.
- Appoint someone to be responsible for the organization’s PIPEDA compliance and to whom individuals can ask questions and raise concerns.
- Protect all personal information in the possession or custody of the organization, including any personal information transferred to a third party for processing.
- Develop and implement policies and practices to give effect to PIPEDA’s principles.
- Report any breach that poses a real risk of significant harm to individuals.
You may decide to use the expertise of an external organization to set up and administer your biometric system and give them access to biometric information through that system. If you do so, you must use contractual or other means to ensure a comparably strong level of privacy protection while the information is being processed by that third party. Irrespective of where the third party is located, you must be satisfied that the third party has policies and processes in place to ensure that the information in its care is properly safeguarded at all times.
Provide employees with the proper knowledge and support: You must ensure that employees of your organization who are responsible for managing biometric information are provided with the proper training, guidance, and supervision to perform their duties.
You Should:
Implement a robust governance structure: You should integrate accountability for your use of biometrics into your privacy management program (PMP). This includes internal policies and controls to ensure that biometric information is collected, used, disclosed and stored as intended. It also includes internal audit and review mechanisms to ensure continued compliance with privacy obligations over the entire lifecycle of your biometrics program or initiative.
If your organization does not have a privacy management program, consider establishing one. PMPs can help to ensure compliance with privacy obligations and to demonstrate that compliance to regulators. Consult the OPC’s guidance on privacy management programs for further information.
Set conditions for pausing use: Before going live with your use of biometrics, you should define circumstances in which you will stop or suspend use of the technology. These may include indicators of effectiveness or accuracy that do not meet expectations, as well as circumstances relating to unauthorized access or use of the technology.
Incorporate human review: Important decisions that can affect individuals’ ability to access products and services should not be fully automated. Keep a “human in the loop” in situations involving significant decisions, such as by manually reviewing potential matches or estimations made by biometric systems. Decision-making should be subject to a fair process that allows such decisions to be contested and reviewed.
Develop robust breach response plans: If there is a privacy breach of biometric information, you may be required to report it to a number of parties within short timelines. You will also be required to maintain records of all breaches. To be prepared for a breach scenario, you should develop robust, efficient, and detailed procedures related to reporting mechanisms and any remedial actions to be taken. The OPC has developed guidance for responding to a privacy breach for organizations.
Demonstrate accountability: You should stand ready to demonstrate your compliance with applicable privacy law(s) to regulators. You should be ready to show records such as how the system was designed, and the steps you took to ensure that it was protective of privacy.
Integrate the ability to audit contractors: Where biometrics are concerned, organizations should integrate the right to audit and inspect how the third party handles personal information into the contract and include measures to address non-compliance.
Openness
PIPEDA Principle 4.8 requires you to be open and transparent with individuals about how you manage personal information.
You Must:
Post the privacy policy: You must make your policies and practices governing biometric information readily available to individuals, and in an understandable form. This must include a description of the type of biometric information your organization holds, a general account of its use, and what information is made available to related organizations (for example, subsidiaries).
This information must be provided in addition to any information you give to obtain valid consent.
Provide the contact information of the person accountable: You must provide the name or title and contact information of the person accountable for your organization’s policies and practices, to whom inquiries and complaints can be made. Under PIPEDA Principle 4.10, individuals must be able to challenge your organization’s compliance with privacy obligations, including those relating to the use of biometric technology.
You Should:
Be transparent about retention practices and legal obligations: Your privacy policy should include specific information about your retention of biometric information, including how long it is kept, what jurisdictions it is stored in, and under what circumstances it is destroyed. You should also tell individuals up-front, where possible, about situations where you are unable to delete personal information upon request based on other legal obligations. You should explain this in response to any deletion request, citing the relevant legal provision.
Be specific about service providers, wherever possible: In the spirit of being open with individuals, you should provide the name or describe the type of service provider(s) that you transfer biometric data to. While organizations remain accountable for their use of service providers, you should be proactive in allowing interested individuals to know where their biometric information is going.
Inform individuals about transfers to service providers: You should make readily available to individuals information about service providers that you use to process biometric information on your behalf, including any risk of harm or other consequences that may result from a transfer to a service provider. When a service provider is located in a foreign country, you should inform individuals of any transfer of their personal information to that country. You should also tell them about the risk that their personal information may be accessed by law enforcement and national security authorities under the laws of that country. Do this in clear and understandable language
Explain automated decisions: Be prepared to provide individuals who may be subject to an automated decision using biometrics with information about key details of the biometric system and its use, including what biometric information is used to make the decision and reasons for the outcome.
The OPC welcomes organizations and the public to provide feedback on this guidance. Please send any comments or questions about the guidance to retroactionpolitique-policyfeedback@priv.gc.ca.
- Date modified: