Biometric Privacy Issues Are Growing. Here's What Businesses Need To Know

Par Ruth L Stewart, BA, RN, MHA, CHE | Date de publication 10 août 2021

Biometric identification, the use of unique physical or behavioural characteristics to identify individuals, has been around for decades.1 With advances in technology, biometric authentication is now part of everyday life, allowing users of biometric-enabled personal devices to unlock their laptops and smartphones with fingerprint and facial recognition. This technology is increasingly being used by businesses and workplaces to identify an individual for controlled access to buildings and sensitive information, putting cybersecurity at risk. Here’s what you need to know about biometric privacy.

 

Biometric Data Collects Personal Information

 

Whether it’s a fingertip, a face or an iris being scanned or some other biometric data being collected, it’s considered personal information about an “identifiable individual.2”Canada’s Personal Information and Protection of Electronic Data Act (“PIPEDA”) applies to private-sector organizations in Canada that collect, use or disclose personal information in the course of a commercial activity. PIPEDA considers “forms of biometric information, such as fingerprints and voiceprints”3 as personal information and subject to the provisions of PIPEDA. British Columbia, Alberta and Quebec have their own privacy legislation, which has been deemed substantially similar to PIPEDA.

 

PIPEDA’s Impact on Businesses

 

Under PIPEDA, businesses are obliged to:

  • Describe what personal information the business will collect and the purpose of its collection
  • Obtain consent for the use, collection and disclosure of personal information
  • State the retention period for the information and how the information will be disposed of in a manner that prevents a privacy breach 
  • Use the appropriate safeguards to protect the information

 

The Privacy Guide for Businesses4 published by the Office of the Privacy Commissioner of Canada provides detailed information for those planning to collect biometric data. Businesses operating in British Columbia, Alberta and Quebec must adhere to the requirements of their provincial legislation when developing a plan. Businesses should consider consulting their legal counsel to ensure they understand their responsibilities under the applicable privacy legislation. Policies and procedures should be created to protect biometric information and inform employees and business associates of what will be collected and why.

 

Privacy Concerns and Biometric Screening

 

Biometric data is useful because it is unique, permanent and easily collectible. Safeguarding biometric information from being breached is critical to a business’ privacy. A person’s biometric data can be collected easily without consent, putting them at risk for identity theft and financial crime.

 

Businesses collecting biometric information should assess the risks of a breach and implement measures to prevent a privacy violation. Robust cybersecurity measures include:

  • Passwords of at least 12 characters that are a unique combination of upper- and lower-case letters, symbols, and numbers
  • Two-factor identification
  • Encryption of biometric information to prevent reverse engineering of personal data
  • Firewalls and up-to-date firmware and software
  • Security software such as anti-spyware, anti-malware and anti-virus programs to help detect and remove malicious code
  • Regularly updated operating systems, software and security patches 
  • Intrusion detection software to detect unauthorized or unusual activity on the system or network

 

The Bottom Line

 

Any business planning to collect biometric information must ensure its practices are in compliance with applicable privacy legislation. A breach of biometric information has the potential to cause liability for a business, including the individuals whose identities were exposed. Contact your local underwriter to learn how you can mitigate biometric privacy risks to your business.

 

 

1 Aird & Berlis LLP. (Undated.) Biometric Identification and Privacy Concerns: A Canadian Perspective. Retrieved at: https://www.airdberlis.com/docs/default-source/articles/biometric-identification-and-privacy-concerns.pdf?s.

2 Office of the Privacy Commissioner of Canada. (2011.)  Data at Your Fingertips Biometrics and the Challenges to Privacy. Retrieved at: https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/gd_bio_201102/.

3 Office of the Privacy Commissioner of Canada. (2013.) https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_02/.

4 Office of the Privacy Commissioner of Canada. (updated 2020.) Privacy Guide for Businesses. Retrieved at: https://www.priv.gc.ca/media/2038/guide_org_e.pdf.

Au Canada, les produits et/ou services décrits sont fournis par Continental Casualty Company, une compagnie d'assurance IARD. Les informations sont destinées à présenter un aperçu général à des fins d'illustration uniquement. Lisez la clause de non-responsabilité générale de CNA.

Ruth L Stewart, BA, RN, MHA, CHE
Consultant principal en contrôle des risques

Ruth Stewart est conseillère principale en contrôle des risques, Santé, de CNA Canada. Ruth apporte à son rôle une expérience en soins infirmiers cliniques, notamment en chirurgie, en soins intensifs et en soins infirmiers pour traumatismes, ainsi qu’en gestion des risques dans le secteur sans but lucratif. Elle a quitté le secteur des soins de santé pour travailler avec un courtier international, utilisant ses connaissances cliniques et opérationnelles pour aider les assurés en soins actifs et en soins de longue durée à mieux gérer leurs risques. Ruth travaille directement avec les assurés pour gérer le risque opérationnel et élabore des publications, des outils et d’autres ressources pour aider les assurés à gérer le risque. Ruth collabore avec une équipe de professionnels chevronnés du contrôle des risques liés aux soins de santé et de la gouvernance aux États-Unis et au Royaume-Uni afin de fournir une gamme complète de services en matière de risques aux assurés de CNA.

 

Ruth a reçu sa formation d’infirmière du Collège George Brown et sa maîtrise en administration de la santé de l’Université d’Ottawa. Elle est membre de l’Ordre des infirmières et infirmiers de l’Ontario (OIIO) et membre agréée (CHE) du Collège canadien des leaders en santé (CCLS).