How to use biometric authentication and remain compliant with data protection regulations

Biometric authentication by means of iris scans, fingerprints, vein patterns and so on have one major advantage unlike passwords, the user cannot forget the information. On the other hand, biometric data can be used to conclude the person and that makes it significant for data protection. But there is no need to miss out on it. In this article, we highlight what you need to be considering when using biometric methods.


Biometric data for your security


In biometrics, or biometric methods, peoples' natural, distinctive, physiological or behavioural characteristics are used for authentication purposes. Biometric procedures are nothing new; signatures and individual face checks have been in use for a long time. For example, dactyloscopy (fingerprint analysis) has played an important role in criminal cases for over a hundred years.

In comparison to other authentication methods such as PINs and passwords, biometric data provides extra security, because personal biometric data cannot be forgotten or lost. It is also not possible to “pass it on” (PIN, password) to other people. The advantages for the user as well as their use by companies in conjunction with IAM (Identity & Access Management) solutions are obvious.

On the downside, once it has been “compromised”, (i.e. if it has fallen into the wrong hands) biometric data cannot be changed like a password. Furthermore, it may allow other conclusions to be drawn about the person in question (we will come back to this later on). This is why the Swiss Data Protection Act (DSG) and the European General Data Protection Regulations (GDPR) set high standards in terms of data security and data protection.

Biometric data says a lot about the person

Biometric features can currently only be changed in exceptional cases and with considerable effort, e.g. by cosmetic surgery on the facial features. For this reason, biometric data is not just person-related, it is person-specific. The raw data obtained in this way is according to the definition of the term unique to each person and can be assigned to a specific person almost “anytime and anywhere”. A distinction is made between two groups:

  1. Physiological characteristics: facial features, fingerprints, hand outlines, iris, vein structure of a hand or finger, etc.
  2. Behavioural characteristics: signature, voice pattern, gait, type of keystroke, etc.

Furthermore, we distinguish between two types of biometric data:

  1. Biometric data (biometric imprint): corresponds to the physical or digital representation of a biometric characteristic that can be used by a biometric recognition system.
  2. Biometric template (biometric pattern): corresponds to a number of measurement points / features extracted from the raw biometric data. So a template corresponds to a subset of the raw data.

In principle, raw biometric data captured by sensors contains much more information than the template derived from it. For this reason and the principle of data economy (only really necessary data), it is preferable to file or store biometric templates.

In a nutshell, biometric data is usually inextricably linked to a specific person. This means that raw data and templates created from it are personal data; even without any other reference to persons such as names. They are usually also linked to additional identification or addressing information such as name, first name, gender, date of birth, etc.

It is important to protect personal data

Biometric data is not explicitly mentioned in the current Swiss Data Protection Act (DSG), but it is mentioned in the guidelines of the Federal Data Protection and Information Commissioner (EDÖB). These guidelines contain many recommendations for protecting this data and protecting the identity of the people concerned, within the meaning of the Data Protection Act. For example, it has been pointed out that biometric identifiers like fingerprints, the geometry of the hand and face, a digital scan of the iris and voice recognition can be used to conclude a person's ethnic origin and their health status. Ethnic origin and health status constitute particularly sensitive personal data (pursuant to Art. 3 letter c of the DSG), and the processing of this data must comply with more stringent restrictions and requirements.

In the European General Data Protection Regulation (GDPR), biometric data (according to Art. 4 No. 14 of the GDPR) is also considered as a “special category of personal data” (according to Art. 9 of the GDPR) where it is used to uniquely identify a natural person. This is of course the case with biometric authentication methods. In principle, under paragraph 1 it is prohibited to process this category of data (unless there is an exceptional reason explicitly listed in paragraph 2). The following guiding principles should be observed:

  • The processing of personal data must be performed lawfully.
  • For the persons concerned, the purpose must be recognisable and strictly adhered to by the company (earmarking: no processing of biometric data for any other purpose, e.g. analysing the state of a person's health on the basis of the voice profile).
  • Proportionality must be ensured.
  • Biometric recognition systems should be designed in such a way and, where necessary, adapted, to ensure the accuracy and high quality of biometric data.
  • The rights of the data subjects must be guaranteed, e.g. the right to access and correct inaccurate data.
  • Data security must be ensured by implementing suitable technical and organisational measures.

Particular attention must be paid to ensure that the processed data remains within the jurisdiction of the data subject and that no inappropriate data processing is carried out.

Biometric authentication measures what you need to consider

As is the case when processing other personal data, appropriate security measures must also be taken in biometric procedures, such as encryption, protection against manipulation of hardware and software and of the data itself, protection during recording and processing, digital signature, access and entry rights, etc. However, ensuring the technical security of the biometric procedure is not enough on its own. You also need to take the following points on board when using biometric authentication methods and systems:

  • Only those biometric procedures that are technically advanced with a hit rate as close as possible to 100% probability may be used.
  • Technical security measures must be taken to reduce error rates and the negative consequences of any technical defects.
  • Wherever possible, biometric data belongs within the jurisdiction of the person concerned and not of the system operator.
  • The requirements that flow from the principle of proportionality (as little personal data as possible; non-sensitive and non-centrally stored personal data; anonymization or pseudonymization, and destruction) must be observed when processing biometric data, as well as marginal data from biometric systems.

Is it even permissible to use biometric data for access controls?

With all these requirements and framework conditions, you are now bound to be asking yourself whether access systems based on biometric authentication procedures are permissible at all. We clearly believe they are! However, there are some things that need to be considered.

The Swiss Federal Data Protection and Information Commissioner (EDÖB) has also expressed criticism of the use of recognition systems based on biometric features within the workplace, particularly because by doing so, employers are encroaching on employees' personal rights. There must be a justification for processing this kind of biometric data. However, on its own, this is not enough. Additionally, it must be ensured that the identification system to be used complies with data protection requirements. The guide mentioned above also provides valuable services here.

It is also made clear that, wherever possible, the only kinds of biometric data that should be captured are those that do not leave any trace and cannot be captured without the person concerned being aware of it e.g. a hand outline or hand vein pattern. Moreover, the biometric data should be stored in a decentralised location in encrypted form on a secure medium and kept secure.

So, as you can see, there are quite a few things to take into consideration before using access controls based on biometric features. Ask us about it, we will be happy to advise you.


Our 6 tips for using biometric authentication methods in everyday life

There are tremendous advantages in using biometric methods for user authentication. However, the requirements for designing biometric procedures in a way that is compatible with data protection must be observed. If you follow these 6 points, there is nothing to stand in the way of using them.

  1. No use of raw data, only reduction to reference data (templates) to exclude superfluous information
  2. Appropriate choice of the procedure with the user's active involvement; leave no trace and exclude undetected capture of data.
  3. Decentralised template storage, if possible at the user’s sole disposal (e.g. a chip card) or a dedicated (offline) computer
  4. Protection of biometric data from unauthorised inspection and processing.
  5. Consistent use of encryption for biometric data.
  6. Transparency of procedures and security mechanisms.

Provided that the data protection framework conditions mentioned above are complied with, using biometric procedures poses no threat to the right to self-determination of information; in fact, it makes a contribution to heightened data security by means of direct, genuine verification and authentication.

Identifying and remedying the gaps in compliance with data protection

Every company using biometric data must be aware of the possible effects on processes and infrastructure. These should be comprehensively reviewed based on the aspects described above. A comprehensive gap analysis either subject to the Swiss Data Protection Act (DSG) or the European General Data Protection Regulation (GDPR) depending on your company's data categories is the first step in this process. Get support! Our data protection experts can provide you with assistance in all aspects, from questions about data protection requirements, GAP analysis, technical security checks, strategy definition and conception to raising awareness and implementation. You can find more information about our data protection services here:

InfoGuard Data Security Service

<< >>

Data Governance

Reinhold Zurfluh
About the author / Reinhold Zurfluh

InfoGuard AG - Reinhold Zurfluh, Head of Marketing, Mitglied des Kaders

More articles from Reinhold Zurfluh

Related articles
Identity protection – we can only protect what we're able to see
Identity protection – we can only protect what we're able to see

The bold headline of this blog article accurately captures the biggest challenge in identity protection. All [...]
Psychology – the underrated force in cyber security
Psychology – the underrated force in cyber security

Phishing is an issue that is a constant source of concern, and not just for companies. Do you remember one of [...]
Zero trust is redefining cyber security
Zero trust is redefining cyber security

In cyber security, identities are the real problem, numerous security breaches and successful attacks are due [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media