Biometric Privacy Issues Are Growing. Here's What Businesses Need To Know

Biometric identification, the use of unique physical or behavioural characteristics to identify individuals, has been around for decades.¹ With advances in technology, biometric authentication is now part of everyday life, allowing users of biometric-enabled personal devices to unlock their laptops and smartphones with fingerprint and facial recognition. This technology is increasingly being used by businesses and workplaces to identify an individual for controlled access to buildings and sensitive information, putting cybersecurity at risk. Here’s what you need to know about biometric privacy.

Biometric Data Collects Personal Information

Whether it’s a fingertip, a face or an iris being scanned or some other biometric data being collected, it’s considered personal information about an “identifiable individual.²”Canada’s Personal Information and Protection of Electronic Data Act (“PIPEDA”) applies to private-sector organizations in Canada that collect, use or disclose personal information in the course of a commercial activity. PIPEDA considers “forms of biometric information, such as fingerprints and voiceprints”³ as personal information and subject to the provisions of PIPEDA. British Columbia, Alberta and Quebec have their own privacy legislation, which has been deemed substantially similar to PIPEDA.

PIPEDA’s Impact on Businesses

Under PIPEDA, businesses are obliged to:

• Describe what personal information the business will collect and the purpose of its collection
• Obtain consent for the use, collection and disclosure of personal information
• State the retention period for the information and how the information will be disposed of in a manner that prevents a privacy breach 
• Use the appropriate safeguards to protect the information

The Privacy Guide for Businesses⁴ published by the Office of the Privacy Commissioner of Canada provides detailed information for those planning to collect biometric data. Businesses operating in British Columbia, Alberta and Quebec must adhere to the requirements of their provincial legislation when developing a plan. Businesses should consider consulting their legal counsel to ensure they understand their responsibilities under the applicable privacy legislation. Policies and procedures should be created to protect biometric information and inform employees and business associates of what will be collected and why.

Privacy Concerns and Biometric Screening

Biometric data is useful because it is unique, permanent and easily collectible. Safeguarding biometric information from being breached is critical to a business’ privacy. A person’s biometric data can be collected easily without consent, putting them at risk for identity theft and financial crime.

Businesses collecting biometric information should assess the risks of a breach and implement measures to prevent a privacy violation. Robust cybersecurity measures include:

• Passwords of at least 12 characters that are a unique combination of upper- and lower-case letters, symbols, and numbers
• Two-factor identification
• Encryption of biometric information to prevent reverse engineering of personal data
• Firewalls and up-to-date firmware and software
• Security software such as anti-spyware, anti-malware and anti-virus programs to help detect and remove malicious code
• Regularly updated operating systems, software and security patches 
• Intrusion detection software to detect unauthorized or unusual activity on the system or network

The Bottom Line

Any business planning to collect biometric information must ensure its practices are in compliance with applicable privacy legislation. A breach of biometric information has the potential to cause liability for a business, including the individuals whose identities were exposed. Contact your local underwriter to learn how you can mitigate biometric privacy risks to your business.

_{¹ Aird & Berlis LLP. (Undated.) Biometric Identification and Privacy Concerns: A Canadian Perspective. Retrieved at: https://www.airdberlis.com/docs/default-source/articles/biometric-identification-and-privacy-concerns.pdf?s.}

_{² Office of the Privacy Commissioner of Canada. (2011.)  Data at Your Fingertips Biometrics and the Challenges to Privacy. Retrieved at: https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/gd_bio_201102/.}

_{³ Office of the Privacy Commissioner of Canada. (2013.) https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_02/.}

_{⁴ Office of the Privacy Commissioner of Canada. (updated 2020.) Privacy Guide for Businesses. Retrieved at: https://www.priv.gc.ca/media/2038/guide_org_e.pdf.}