Biometric Privacy Issues Are Growing. Here's What Businesses Need To Know

By Ruth L Stewart, BA, RN, MHA, CHE | Published August 10, 2021

Biometric identification, the use of unique physical or behavioural characteristics to identify individuals, has been around for decades.1 With advances in technology, biometric authentication is now part of everyday life, allowing users of biometric-enabled personal devices to unlock their laptops and smartphones with fingerprint and facial recognition. This technology is increasingly being used by businesses and workplaces to identify an individual for controlled access to buildings and sensitive information, putting cybersecurity at risk. Here’s what you need to know about biometric privacy.


Biometric Data Collects Personal Information


Whether it’s a fingertip, a face or an iris being scanned or some other biometric data being collected, it’s considered personal information about an “identifiable individual.2”Canada’s Personal Information and Protection of Electronic Data Act (“PIPEDA”) applies to private-sector organizations in Canada that collect, use or disclose personal information in the course of a commercial activity. PIPEDA considers “forms of biometric information, such as fingerprints and voiceprints”3 as personal information and subject to the provisions of PIPEDA. British Columbia, Alberta and Quebec have their own privacy legislation, which has been deemed substantially similar to PIPEDA.


PIPEDA’s Impact on Businesses


Under PIPEDA, businesses are obliged to:

  • Describe what personal information the business will collect and the purpose of its collection
  • Obtain consent for the use, collection and disclosure of personal information
  • State the retention period for the information and how the information will be disposed of in a manner that prevents a privacy breach 
  • Use the appropriate safeguards to protect the information


The Privacy Guide for Businesses4 published by the Office of the Privacy Commissioner of Canada provides detailed information for those planning to collect biometric data. Businesses operating in British Columbia, Alberta and Quebec must adhere to the requirements of their provincial legislation when developing a plan. Businesses should consider consulting their legal counsel to ensure they understand their responsibilities under the applicable privacy legislation. Policies and procedures should be created to protect biometric information and inform employees and business associates of what will be collected and why.


Privacy Concerns and Biometric Screening


Biometric data is useful because it is unique, permanent and easily collectible. Safeguarding biometric information from being breached is critical to a business’ privacy. A person’s biometric data can be collected easily without consent, putting them at risk for identity theft and financial crime.


Businesses collecting biometric information should assess the risks of a breach and implement measures to prevent a privacy violation. Robust cybersecurity measures include:

  • Passwords of at least 12 characters that are a unique combination of upper- and lower-case letters, symbols, and numbers
  • Two-factor identification
  • Encryption of biometric information to prevent reverse engineering of personal data
  • Firewalls and up-to-date firmware and software
  • Security software such as anti-spyware, anti-malware and anti-virus programs to help detect and remove malicious code
  • Regularly updated operating systems, software and security patches 
  • Intrusion detection software to detect unauthorized or unusual activity on the system or network


The Bottom Line


Any business planning to collect biometric information must ensure its practices are in compliance with applicable privacy legislation. A breach of biometric information has the potential to cause liability for a business, including the individuals whose identities were exposed. Contact your local underwriter to learn how you can mitigate biometric privacy risks to your business.



1 Aird & Berlis LLP. (Undated.) Biometric Identification and Privacy Concerns: A Canadian Perspective. Retrieved at:

2 Office of the Privacy Commissioner of Canada. (2011.)  Data at Your Fingertips Biometrics and the Challenges to Privacy. Retrieved at:

3 Office of the Privacy Commissioner of Canada. (2013.)

4 Office of the Privacy Commissioner of Canada. (updated 2020.) Privacy Guide for Businesses. Retrieved at:

In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Ruth L Stewart, BA, RN, MHA, CHE
Senior Risk Control Consultant, Healthcare

Ruth Stewart is the Senior Risk Control Consultant, Healthcare for CNA Canada. Ruth brings to her role a background in clinical nursing which includes experience in surgical, intensive care and trauma nursing as well as management of risk in the not-for-profit sector. She left the healthcare sector to work with an international broker using her clinical and operational knowledge to assist acute care and long term care insureds better manage their risks. Ruth works directly with insureds to manage operational risk, and develops publications, tools and other resources to help insureds manage risk. Ruth collaborates with a team of seasoned Healthcare Risk Control/Risk and Governance professionals in the US and UK to provide a comprehensive range of risk services to CNA’s insureds.

Ruth received her nursing training from George Brown College, and her Master in Health Administration from the University of Ottawa. She is a member of the College of Nurses of Ontario (CNO), and a certified member (CHE) of the Canadian College of Health Leaders (CCHL).