Biometric scans and privacy legislation

Posted On 27 Mar 2017
Comment: Off

Amidst the chaos of Brexit, many security minded organisations are concerned about the implications of the European Regulation on the Protection of Individuals with regard to the Processing of Personal Data, adopted in 2016 and planned to be enforceable in May 2018

As an integral component of EU privacy and human rights law; it regulates the processing and distribution of personal data. In essence it will become illegal, or certainly contrary to the regulation, to link the stored data to the individual. Furthermore, the regulation states that personal data should not be processed unless the individual is informed and at least one of a set of strict criteria are met.

Whilst the regulations are designed to protect individual’s rights to privacy, they will have enormous implications for the security industry which now must adapt to comply.

Shaun Oakes, Managing Director of ievo explains: “The regulation is designed to prevent stored data being linked to individuals and used for purposes other than ensuring the security of whatever system it was designed for and transferring this data to third parties. Biometric data – fingerprint scans in our case – comes under the heading of a ‘special privacy element’ which are forbidden to use and process, unless, and this is very important, one of a number of criteria apply, the most pertinent of which is the data subject has given permission.”

Biometric systems which utilise feature-based matching fully comply with this legislation as they do not store the raw biometric data or image; but rather extract a salient set of features known as minutiae from which an individual template is generated. This method sees a system of ‘pseudonymisation’ where the data is processed in a manner where it can no longer be attributed to an individual without the use of additional information which is stored separately and subject to strict technical and organisational control.

“Following a high-resolution scan of the finger, algorithms separate the foreground from the background of the image; it then enhances the image, detects minutiae points and creates a pattern. It is this pattern that is stored on the controller (which are installed separately from the sensor) which, when combined with encryption using AES (Advanced Encryption Standard) ciphers and further confidential safeguards serve to eliminate tampering. It is important to note that the original scanned image of a fingerprint is never stored.”

“As such many older systems which store biometric and/or personal data of card holders, or those with knowledge of key pad combinations, may well have to review their compliance,” warns Shaun.