Draft Guidance for processing biometrics – for public institutions

Published: 2023

Target Audience: Federal Government Institutions

Authority: Privacy Act

Issued: Office of the Privacy Commissioner of Canada

Status:

Public consultation

Analyzing feedback

Adopted guidance

Overview

There has been increasing interest in using biometrics to deliver faster services to individuals and to more efficiently fulfill mandates.

With the promise of biometrics, however, come serious concerns about privacy. They are intimately linked to an individual’s body and when used for recognition, are unique, unlikely to vary significantly over time, and difficult to change in their underlying features. These identifiers can be an enabler of surveillance, and if breached, could expose individuals to fraud and identity theft. Challenges with the accuracy of some biometric technologies have also been well documented, which is of further concern when they are used to make automated decisions about individuals.

This document provides guidance on federal institutions’ privacy obligations when handling biometric information. Note that while it addresses some of the main considerations, institutions remain responsible for understanding all of their obligations under applicable laws, regulations, and instruments.

The privacy authorities in Canada have jointly issued separate guidance on the use of facial recognition by police agencies.

Biometric Technology

“Biometrics” refers to the quantification of human characteristics into measurable terms. They are used for recognition and, less commonly, for categorization.

Biometric recognition:

There are three main categories used for recognition:

Morphological biometrics — such as fingerprints;
Behavioural biometrics — such as keystroke patterns; and
Biological biometrics — such as DNA.

There are three general stages that encompass how biometrics are used to recognize an individual: enrollment, storage, and matching.

Enrollment: This is the first time an individual’s biometrics are collected. A scanner, sensor, microphone, camera, or other technology is used to capture the biometric. The biometric recording is usually algorithmically converted into a mathematical representation, known as a biometric template.

Storage: The biometrics obtained during enrolment can be stored locally in the operations centre where the enrolment took place (e.g. in a reader) for later use, on a device carried by the individual (e.g. on a smart card), or in a centralised database accessible by one or more biometric systems.

Matching: A “probe” biometric is collected from the individual, and is usually converted into a template to allow for an automated comparison against the previously enrolled biometric for the purposes of:

Authentication: by matching an individual’s probe biometric to the previously stored sample only (one-to-one comparison) to confirm who they are.
Identification: by cross-referencing an individual’s biometric against a database (one-to-many comparison) to search for who they are.

Many biometric systems use algorithms to perform a number of functions, including to compare two templates together and provide a similarity score. If the similarity score passes the set threshold of the system, a positive match is provided. Such algorithms learn to perform these automated functions through the use of training data, the quality of which can affect the accuracy of the overall system.

Biometric categorization:

Biometrics can be used to determine if an individual belongs to a group with a particular shared characteristic. Categorization could be based on the biometric data itself or by drawing inferences from this data. For example, the measurement of physiological responses to certain stimuli, such as pupillometry or micro-expression analysis, may be used to deduce interests or emotions, and assign an individual to a category.

Guidance

Assess the Appropriateness of an Initiative

Among the first steps you must take when planning your biometric initiative is specifying the purpose you are trying to achieve. You must then evaluate whether the purpose of the biometrics initiative is appropriate in the circumstances, which forms part of the Privacy Impact Assessment (PIA) process that is required for government institutions. Appropriateness requires a contextual assessment, and it cannot be replaced by obtaining the consent of individuals.

To guide this assessment, you should evaluate and adjust the proposed biometric program using the following criteria:^{Footnote 1}

Do not use biometrics if you are uncertain that it would be appropriate in the circumstances. If your institution cannot explain how your collection, use, or disclosure of biometrics is rationally connected to a pressing and substantial public interest goal, the initiative should not go forward.

Sensitivity	Biometrics are a sensitive type of information, but some biometrics may be highly sensitive based on their innately intimate nature and/or the types of harm that could result from their misuse. You should select a suitable biometric modality that presents the least risk to the individual concerned. For example, facial recognition will generally be considered more sensitive than palm-vein scanning, which cannot be passively collected or as easily used to link data about an individual’s activities. The sensitivity of personal information, on its own, is not determinative of whether an institution is justified in its collection, use, or disclosure; however, the more sensitive the information, the greater the justification may be required for its collection, use, or disclosure.
Necessity	Demonstrate that your institution’s biometric program or initiative is necessary to meet a specific, legitimate, and defensible need. Are you using biometrics to resolve a substantial problem, such as to safeguard highly valuable assets or information? Is there empirical evidence of a problem that biometrics will solve? Indicate why other non-biometric options are not sufficient in your context. Biometrics may not be necessary if your purpose can be achieved without using this type of information.^{Footnote 2} If the underlying institutional rationale is to increase convenience or enhance user experience, your biometric initiative is likely inappropriate. For example, biometrics are not necessary to assess a candidate for a job. Consider whether your needs are rationally connected to an institutional goal that is pressing or substantial, and document this clearly. Personal information, including biometrics, must never be collected for a speculative or prospective purpose to be determined at a later date.
Effectiveness	Ensure that the proposed biometric program or initiative will be effective in meeting the pressing and substantial goal identified. There should be a high degree of organizational confidence that the biometric program will be effective and reliable, as a whole. There should be a clear plan of how to measure the effectiveness of the program. The program must be designed to effectively address the issue for which it is deployed. Consider the scientific and technical validity of the method or process, the accuracy of the technology and error rates, and the risk that the biometric technology could be spoofed or circumvented. Using biometric technologies for purposes that lack overall scientific validity will not be considered effective. For example, biometric technologies that purport to evaluate the trustworthiness of an individual, identify their mental state, or infer their competencies do not have scientific backing at this time.
Proportionality	Assess whether the biometric program or initiative’s impact on privacy is proportional to the benefits gained. Will the stated purpose be more effectively achieved through biometrics than using a less intrusive option? And is this gain in effectiveness proportional to the increased level of intrusion? For example, it would be disproportionate to indiscriminately extract biometrics from video surveillance footage of individuals in a building lobby. Behavioural biometrics that rely on the analysis of large amounts of behavioural data are more likely to be disproportionate than using morphological biometrics. While the loss of privacy that results from the handling of biometrics is generally high, some biometrics are particularly sensitive and may therefore result in even more significant impacts on privacy. For this loss of privacy to be proportional, the benefits of your biometric program must be commensurately high. Ensure that the biometric program is also proportional in its design — meaning it is narrowly scoped with limited actors, as opposed to broad, general, and undefined. The implementation of technical and other protective measures is an important factor in mitigating the privacy impacts of using biometrics, but adequate safeguards alone cannot render a collection, use, or disclosure of biometrics appropriate.
Minimal Intrusiveness	Assess whether there are less intrusive means of achieving the purpose other than through the collection, use, or disclosure of biometrics. Is there evidence that other, less privacy intrusive means cannot achieve the same objective? A biometric initiative being deemed more convenient than alternatives is unlikely to satisfy this requirement. For example, biometric categorization can lead to “social sorting” (i.e., associating individual data with social groups and treating them differently), a key aspect of surveillance. Such a purpose is privacy invasive and may be ethically problematic, requiring a strong justification. Further, social sorting may engage legal issues under human rights law, based on discrimination on prohibited grounds. What steps can be taken to reduce privacy intrusion as much as possible? Consider whether biometrics of a less sensitive nature could be employed or whether there are ways to limit the role of biometrics in the proposed program.

The OPC has applied these criteria to biometric initiatives in previous Report of Findings, which may be informative for completing your own assessment of appropriate purposes:

RCMP’s use of Clearview AI

In our joint-investigation into Clearview AI (PIPEDA Findings #2021-001), we determined that the company’s online scraping of images and creation of biometric facial recognition arrays from them represented mass identification and surveillance of individuals. We therefore found Clearview’s purposes to be inappropriate, particularly where they: (i) are unrelated to the purposes for which those images were originally posted; (ii) will often be to the detriment of the individual whose images are captured; and (iii) create the risk of significant harm to those individuals, the vast majority of whom have never been and will never be implicated in a crime.

Following our investigation, we also found that since Clearview’s personal information collection practices were not compliant with its legal obligations, the RCMP’s subsequent collection of that information fell outside its legitimate operating programs and activities, thus representing a contravention of Section 4 of the Privacy Act.

Under the Privacy Act government institutions can only collect personal information that relates directly to an operating program or activity of the institution. Obtaining an individual’s consent to collect personal information does not replace or establish authority for the collection of that information.^{Footnote 3}

Subject to certain exceptions, government institutions must collect personal information directly from individuals wherever possible and inform them of all the purposes for which their personal information is being collected. Therefore, absent the consent of the individual, a government institution should generally not collect biometrics intended to be used for an administrative purpose from other sources, including publicly available ones.^{Footnote 4}

Consent is generally required for uses or disclosures of information if they are for purposes other than those for which the information was originally collected, with some exceptions.^{Footnote 5} Where consent is required, a critical part is to ensure that individuals have proper knowledge of how you will manage their personal information.

You Must:

If your biometrics initiative is voluntary to enrol in and you are seeking consent from individuals, you must:

Obtain express, informed, and specific consent: When relying on consent, you must almost always seek express consent for the use or disclosure of biometrics, including biometric templates. Express consent involves active rather than passive affirmation on the part of the individual, meaning that you should not take biometrics from individuals without their explicit knowledge.

Consent processes must explain key elements with potential impact on an individual’s privacy, including:

the purpose of the consent;
the type of biometric information involved;
reasons and sources for indirect collection (if any);
uses or disclosures not consistent with the original purpose if extending scope;
any consequences of withholding consent; and
any alternatives to providing consent.

If you are considering contracting with a private-sector organization, also refer to the Treasury Board of Canada Secretariat’s guidance document “Taking Privacy into Account Before Making Contracting Decisions”. This includes information about the “invasion-of-privacy test”, where the biometrics initiative will be assessed based on the sensitivity of the information, the expectations of the individual, and the probability and potential gravity of injury.

Ensure that consent is obtained in writing or properly documented, including information such as the date and time it was provided.

The OPC has developed guidance on obtaining meaningful consent for private-sector organizations, but it nonetheless provides assistance in ensuring that valid consent is obtained for federal institutions. Institutions should convey the consent processes and the related privacy information with user-experience in mind. Consider integrating consent into existing processes, such as enrolment or digital interfaces, as a means of providing specific information on your biometric initiative in a user-friendly manner. While your biometrics initiative should also be described in your privacy policy, such a description, on its own, would be insufficient to generate meaningful consent.

If an institution is collecting voiceprints from callers to a phone line, a generic statement, such as “this call may be recorded for identification purposes”, is not acceptable to obtain meaningful consent.

Similarly, obtaining consent to collect photos or videos of an individual does not automatically allow you to extract biometrics from such media sources. You must specify the biometric collection, use, or disclosure separately.

Provide alternative options: If you are using biometrics as a safeguard, it is likely that there are other methods of authentication you can offer to the individual, and that biometrics are not integral. Providing alternatives accommodates those who are reluctant to enroll in a biometric system, as well as those who may not be able to enroll in such systems, for example because of a disability.

Communicate the source databases: If using a biometric technology for identification purposes rather than authentication, disclose to the individual what databases their biometrics are being stored in, compared with, or matched against.

Limiting Collection

Limit the collection of personal information to that which is necessary for achieving your stated purpose. This is required under the Directive on Privacy Practices.^{Footnote 6}

You Must:

Use authentication before identification: Authentication is based on a one-to-one match with the individual’s biometrics that they have previously enrolled, which can limit what you need to collect versus what is needed for identification to achieve accurate results. You will need specific justification if you choose to use an identification system where an authentication system is viable.

Use the minimum number of biometric characteristics needed: This includes both the amount of a single characteristic, and the combination of them. If you can meet your purpose by using points from a single fingerprint, then you must not collect prints from the whole finger, more than one finger, or use prints in conjunction with other biological or behavioural biometrics. When using biometrics as a safeguard, the number of characteristics collected must be appropriate to the sensitivity of the personal information you are protecting. The use of multi-modal biometrics must be justified in that regard.

You Should:

Seek to keep the template in the individual’s control: There are different template formats that vary in how much control they provide to the individual. You should strive to keep the template in the individual’s control so long as that is the most secure option while allowing you to achieve your identified purpose. For example, you could store it on a device or token in their possession. You should avoid creating large centralized databases of biometric data, which in the event of a breach, can increase the likelihood of cross-system compromise, imposter access, and source system and physical security compromise. You could also adopt a model where you store the template and it is only activated under the control of the individual. If you decide to maintain sole control of a template, you should have a compelling reason for doing so, such as a determination that this is the best way to safeguard the data or the only way to achieve your purpose.

Limit its technical capability: As a design choice, you should consider biometric systems that do not contain additional features that enable broader collection of personal information than that required to fulfill your specific purposes. For example, in our joint-investigation of the Cadillac Fairview Corporation Limited, it was found that a software called FaceNet was enabled to collect unique numerical representations of individuals’ faces, but that information was not needed for CFCL’s purposes.

Limiting Use, Disclosure, and Retention

Under the Privacy Act, biometrics must only be used for the purposes for which the information was collected or obtained, with few exceptions. This applies both to biometrics in a ‘matching database’ as well as the probe image collected from the individual in question.

You Must:

Not analyze biometrics for secondary purposes: Some biometrics can reveal secondary information, such as that related to health, ethnicity, or biological relationships. You must not analyze biometric data to extract such additional information without the individual’s consent if this was not the purpose for which the personal information was lawfully obtained.

Keep a tight circle: You must not design a biometric system that relies on disclosures to third parties i, unless its fundamental to the purpose. An extremely strong justification would be required to disclose biometrics to third parties. In systems where biometric information must be shared with others, the parties with whom it is disclosed should be very limited. Refer to the “Accountability” section to learn more about your responsibilities in ensuring third parties do not abuse information.

De-link across systems: The biometrics system provider must guarantee that the stored data cannot be linked across different implementations of the system, such as those offered by third party vendors. You must not link biometric databases used for one purpose, with other unnecessary personal information that is not needed for that purpose.

Limit retention: Biometric information must only be kept for a period necessary to fulfill your stated purpose and any legal obligations, after which it must be permanently destroyed from all locations, including devices, cloud storage, and back-ups. Institutions are required to retain personal information for at least two years after it has been used for an administrative purpose in order to allow the concerned individual a reasonable opportunity to access the information, unless the individual consents to its disposal earlier.

Distinguish retention of biometrics from other personal information: Biometrics serve a specific purpose and should not be lumped with a retention schedule of other non-biometric information, especially when that non-biometric information may be needed for a longer period of time but the biometrics information is not.

Destroy raw biometric data used to create a template: Raw biometric data that is collected for the purpose of creating a biometric template must be destroyed as soon as the template has been created.

Delete biometric information upon request: If an individual withdraws consent for your use of biometric information, then delete all the biometric information that you have collected about them, including any personal information you have created using analysis, unless otherwise required by law. You must also request the same from third parties with whom you may have shared the information.

Safeguards

Biometrics can help organizations secure personal information against impersonators and can thereby prevent social engineering attacks, fraud, and identity theft. However, this only remains an effective option if an individual’s biometric information itself can be protected from breaches and can be trusted to be accurate as to an individual’s identity. Otherwise, biometrics can contribute to the problem you sought to resolve. Security safeguards are therefore of utmost concern, given that individuals are left with few options to protect themselves if their biometric information is compromised.

Safeguarding refers to measures to protect personal information against loss, theft, or any unauthorized access, use, disclosure, copying, or modification. As reflected in the Directive on Privacy Practices, government institutions must have adequate safeguards to protect against unauthorized use or disclosure of personal information.^{Footnote 7} As a result, biometric data must be stringently protected with a higher level of security safeguards.

Biometrics, like other types of personal information, are not immune to breaches.

More specifically, they are vulnerable to spoofing attacks, where false biometrics are presented to fool biometric systems into providing a positive match. Deep learning and neural network technology can be used to create convincing fabrications of an individual’s biometrics to thwart identification technology. The rising use of deepfakes, voice synthesis, and other impersonation techniques using biometric information could also be used to compromise individuals’ accounts or identity.

You Must:

Use physical, administrative, and technical measures to safeguard against the different ways a breach could occur. Review and update security measures regularly to address evolving security threats and vulnerabilities.

Implement controls for personnel access: Only make biometric information accessible to those employees who truly need it in the context of their work. Consider having a permission system in place to review requests and grant access.
Keep track of access: Oversight is important to ensure sensitive information is not mishandled. Maintain digital logs of each time designated personnel access the biometric information you retain. Review the retained logs routinely to ensure that employee searches are legitimate and related to a business need. You must investigate organizational privacy incidents, including employee snooping.
Encryption: Use end-to-end encryption technology to secure biometric information throughout all stages of its lifecycle, including its storage but also its transmission.

Prevent spoofing and presentation attacks: Spoofing refers to the ability to fool a biometric system by applying fake or replicated biometrics — such as a photograph or mask of the target individual’s face to bypass facial authentication. When biometrics are used as a safeguard to protect other personal information, they must be effective at doing so and not be susceptible to spoofing. Liveness detection is one option to prevent many forms of spoofing, but not all liveness detection methods offer the same level of protection.^{Footnote 8}

Consider specific technical attack methods: You must anticipate and analyze the risks of unauthorized access and unwanted modification if you hold biometric data. There are different types of attacks that are specifically designed to circumvent biometric systems^{Footnote 9} including hill-climbing and wolf-attacks.

“Hill-climbing” refers to an algorithmic attack where a synthetic biometric template is matched continuously against a stored template and is iteratively modified until it positively matches with the stored template. This method relies on a matching score to be communicated so that the modifications to the synthetic template are based on an increasing similarity with the stored template. Therefore, you should not communicate a matching score publicly, and limit the number of biometric authentication attempts.
“Wolf-attacks” refer to a biometric “wolf” sample that can function like a master key to successfully match to multiple samples.^{Footnote 10} The use of wolf attack probability testing and detection can help you safeguard against such attacks.

Conduct testing and vulnerability assessments: Regularly assess the vulnerability of your biometric system to ensure your safeguards continue to be effective over time, and to identify vulnerabilities. The testing needs to include variables that depend both on the system’s design and installation, the biology of the tester, and the known vulnerabilities of the biometric modality or modalities chosen.

Report breaches: When sensitive biometric information is subject to a privacy breach, there is a high likelihood that the breach could reasonably be expected to cause serious injury to affected individuals. Therefore, breaches involving biometric information will meet the public-sector threshold for mandatory reporting to the OPC and Treasury Board of Canada Secretariat.

You Should:

Be proactive: It is more effective to build privacy safeguards into the fabric of a biometric initiative than to try to add them in later. This includes the entire lifecycle of an activity: design, implementation, evaluation, and dismantling.

Use cancellable biometrics: You should convert biometric data into templates that do not reveal permanent features of an individual’s biometric profile. You can do this by using “cancellable” templates that distort data to prevent it from being converted back into the original biometric information. This would allow multiple templates to be associated with the same biometric data, so that templates can be revoked (like a password) if they are compromised. The template should also be unlinkable, so that different biometric templates belonging to a single individual cannot be linked together. Consult technical experts and the latest research around these methods to learn how to implement them in your context.

Use Privacy Enhancing Technologies (PETs): Methods such as homomorphic encryption can be used to conduct biometric matching without needing to decrypt the biometric template. For more information on PETs, refer to our report.

Specialized security modules: You should consider using specialized security modules for the storage of biometrics. You should also consider making the extraction of biometric templates unique to your biometric system, such that it cannot be used by others.

Avoid transmitting biometrics over the internet, if possible but through enrolment devices directly connected or integrated with the IT systems.

Use multiple factors: Multifactor authentication is often described as combining something you know (such as a password), something you have (such as a card or token), and something you are (such as a fingerprint). Where the use of biometrics is appropriate, you should use it in combination with at least one other factor to improve accuracy and protect against attacks.

Use active versus passive biometrics: For example, active voice biometrics refers to when the individual must create a passphrase, which the software analyzes to create a voiceprint, targeted to the phrase. This is a form of multi-factor authentication. This is in contrast to passive voice biometrics where recognition software runs in the background on all speech and doesn’t require the individual to say a specific phrase.

Choose the right modality: Be aware of your choice of biometric and the accompanying technology. For example, fingerprints can leave latent marks that can be lifted by malicious actors. Some modalities may also be easier to spoof than others.

Separate biometrics from other personal information: You should store any biometric information about an individual separately from other identifying information about them, to avoid building an unnecessary profile about an individual. This reduces the risk of harm in the event of a breach.

Accuracy

Biometric systems used for authentication or identification are typically used to make an automated decision about an individual, such as to obtain access to certain locations, or receive a good or service to which they are entitled. As a result, false positives and negatives can significantly disrupt an individual’s life and potentially violate their human rights. You must take every reasonable effort to ensure accuracy in your biometric system.

Under the Privacy Act, government institutions are required to take all reasonable steps to ensure that any personal information they use for an administrative purpose is as accurate, up-to-date, and complete as possible. The Directive on Privacy Practices outlines measures for ensuring information is accurate and up to date, including verifying information against a reliable source, and using technological means to identify errors and discrepancies.

You Must:

Consider if biometrics are fit for purpose: Organizations must consider whether the biometric system is an appropriate mechanism to achieve their purpose, taking into account the environment and context in which their proposed use of biometrics will take place. For example, systemic errors in a biometric system can result in the capture of inaccurate information, particularly when not adjusted to reflect the diversity of the population.

Choose a technology with suitable accuracy rates: Some biometric technologies are more accurate than others. For example, systems based on morphological biometrics can result in higher accuracy rates than behavioural biometrics. While many biometric systems have low failure rates, a small number of errors can become significant when the system is scaled up. They can also disproportionately affect certain populations. The impact of inaccuracies can also depend on the nature and significance of the decisions being made. It is your responsibility to ensure conformity with relevant accuracy testing standards,^{Footnote 11} including conducting your own accuracy testing or obtaining an independent evaluation, and choose biometric systems with error rates that are appropriate and acceptable in the circumstances. This includes consideration of more accurate alternatives and tradeoffs. You will need to demonstrate a higher level of accuracy when the consequences of errors for individuals are greater.

Ensure accuracy at enrollment: You must take reasonable steps to check and maintain the accuracy of the biometrics. Biometric recordings and templates must be accurate at the enrolment stage, including clear images free from obstruction or other anomalies that would interfere with an individual’s authentication or identification later. You must ensure that the template is assigned to the correct individual, and account for the time elapsed since the biometric was enrolled to account for issues related to aging.

You Should:

Put quality over quantity: Poor quality of captured biometrics can lead to accuracy challenges. You should only use captured biometric information of high quality. This also allows you to better meet the limiting collection requirement, as poor-quality biometrics may lead you to over-collect them to create a functioning template. Improved equipment and standardized collection practices (that account for elements such as image resolution, lighting, and placement) can help reduce the number of mistakes.

Develop a procedure for dealing with false matches: Although biometric systems must be designed to ensure accuracy, you should be prepared for your system to provide false positives, false negatives, and non-matches. In such cases, you should offer an alternate identifier in a timely manner, resolve the issue so that it does not recur, and ensure that such errors do not result in systemic biases. There should be human intervention and review of significant decisions made based on biometrics as part of this process in order to offer redress. Biometric decision-making should be subject to a fair process to allow such decisions to be contested and reviewed.

Have an even higher accuracy threshold when using biometric categorization: Biometric systems that assign an individual to a category and sort them accordingly should be carefully assessed and scrutinized with regards to the categories that are used, whether they are able to accurately reflect the diversity of the individuals who will be captured by the biometric system, and the overall reliability of this feature. Consider that individuals also have rights to access and correction.

Accountability

You are responsible for the personal information under your control. In the federal public sector, the Privacy Act sets out specific obligations for heads of government institutions or their delegates. Accountability is also delineated through the PIA process and supporting policy instruments, notably the Policy on Privacy Protection and Directive on Privacy Practices. Additional guidance on contracting under the Privacy Act is available in “Taking Privacy into Account Before Making Contracting Decisions”.

You Must:

Use credible contractors and assess legal authority: Before entering into a business relationship, you must do your due diligence to ensure accountability of third party service providers and that they are acting lawfully. If these parties are providing you access to a database of biometric information, you have a duty to ensure that both the original collection and your use of the information would be in accordance with privacy laws. This equally applies to partnerships you enter into with other government institutions.

If you are subcontracting parts of your biometric program, you must ensure that the subcontractor meets the Privacy Act obligations to which you are subject and does not use personal information handled on your behalf for its own purposes, without requisite consent.

Privacy Act Report of Findings:

In the OPC’s investigation into the RCMP’s use of Clearview AI’s services, we found that the RCMP failed to take any active steps to verify the legality of the collection of the information of Canadians from Clearview. Government institutions are obligated to ensure the lawfulness of the collection practices of partners from whom they collect personal information.

Assess whether your biometric activity is subject to the Directive on Automated Decision-Making: If you are using biometrics to make automated decisions about an individual, you should refer to the Directive on Automated Decision-Making and check whether you need to complete an Algorithmic Impact Assessment.

You Should:

Formalize your relationship with other partners: This includes contracting with private-sector parties that you use the biometric services of, and entering into Information Sharing Agreements with other institutions that you share or receive biometric information from.

Develop robust breach plans: In the event of a privacy breach of biometric information, you will likely be required to report it to a number of parties within short timelines. You will also be required to maintain records of all breaches. To be prepared for a breach scenario, you should develop robust, efficient, and detailed procedures related to reporting mechanisms and any remedial actions to be taken. The OPC has developed guidance for responding to a privacy breach for government institutions.

Demonstrate accountability: You should stand ready to demonstrate your compliance with applicable privacy law(s) to regulators. You should be ready to show records such as how the system was designed, and the steps you took to ensure it was protective of privacy.

Consider consulting the OPC: If you are still unsure about your biometric program, consider contacting the OPC’s Government Advisory Directorate for additional advice.

Openness

Be open and transparent with individuals about how you manage personal information. The Directive on Privacy Practices requires that individuals whose personal information is collected directly of key information relating to the initiative.

You Must:

Provide a privacy notice: Directly notify the individual whose biometrics are collected of the purpose and authority of collection, any uses or disclosures consistent with the original purpose, any legal or administrative consequences for refusing to provide biometrics, the rights of access, correction and protection, and the Personal Information Bank (PIB) described in Info Source.

Inform individuals about their ability to complain to the OPC: Your privacy notice must include information about the right of individuals to submit a complaint to the OPC with their privacy concerns.

Conduct public reporting of biometrics: All biometric information holdings under your control must be accounted for in your public reporting of PIBs and classes of personal information. This includes on Info Source and in your PIB descriptions. The inventory descriptions must contain sufficient clarity and detail to facilitate the exercise of the right of access under the Privacy Act.

Notify the OPC of all new consistent uses: If you use biometrics for consistent uses that are not reflected in a PIB, you must notify the OPC.

You Should:

Be transparent about legal obligations: You should communicate to individuals up-front, where possible, about situations where you are unable to delete personal information upon request based on other legal obligations. You should also explain this in response to any deletion request, citing the relevant legal provision.

Explain automated decisions: Be prepared to provide individuals who may have been subject to an important automated decision using biometrics with information about the key details of the biometric system — such as the confidence interval used by the system, the probe biometric that was relied upon, and any other likely reasons for an outcome.

Footnotes

Footnote 1

These criteria form part of the required PIA process for high-risk programs.

Return to footnote 1

Footnote 2

The necessity of biometrics has been considered in the employment context under PIPEDA (Personal Information Protection and Electronic Documents Act, S.Sc. 2000,c. 5). In Turner v Telus Communications Inc, 2005 FC 1601 (CanLII) (and as affirmed in Wansink v Telus Communications Inc, 2007 FCA 21 (CanLII)), the Federal Court found that Telus’s use of employee voice prints for identity verification purposes to access and use an internal computer network was appropriate in the circumstances, within the meaning of subsection 5(3) of PIPEDA. While this case arises under PIPEDA, the Court’s analysis is still informative for institutions using biometrics in its management of the workforce.

Return to footnote 2

Footnote 3

Directive on Privacy Practices, 4.2.7.

Return to footnote 3

Footnote 4

When it comes to subsequent use and disclosure, however, publicly available personal information is excluded from sections 7 and 8 of the Privacy Act and related consent requirements.

Return to footnote 4

Footnote 5

See Sections 7 and 8 of the Privacy Act.

Return to footnote 5

Footnote 6

According to the Directive on Privacy Practices, institutions are responsible for limiting the collection of personal information to what is also demonstrably necessary for the program or activity.

Return to footnote 6

Footnote 7

Directive on Privacy Practices.

Return to footnote 7

Footnote 8

Liveness detection is used to distinguish a person presenting their biometrics in real-time from non-live recordings of them, such as a photo, to bypass the system. Different techniques and technologies are being developed to increase accuracy and anti-spoofing. You should consult with experts and select the method that offers the best protection.

Return to footnote 8

Footnote 9

See for example, Ann Cavoukian, Alex Stoianov, and Fred Carter in IFIP International Federation for Information Processing, Volume 261; Policies and Research in Identity Management; Eds. E. de Leeuw, Fischer-Hübner, S., Tseng, J., Borking, J.; (Boston: Springer), pp. 57–77.

Return to footnote 9

Footnote 10

Huy H. Nguyen, Junichi Yamagishi, Isao Echizen, and Sébastien Marcel, “Generating Master Faces for Use in Performing Wolf Attacks on Face Recognition Systems” Proceedings of the 2020 International Joint Conference on Biometrics, Houston, USA.

Return to footnote 10

Footnote 11

See, for example, ISO/IEC 19795, Information Technology – Biometric Performance Testing and Reporting; and NIST Special Publication 800-63B, Digital Identity Guidelines where biometric verification systems “SHALL operate with an FMR [“false match rate”; ISO/IEC 2382-37] of 1 in 1000 or better. This FMR SHALL be achieved under conditions of a conformant attack (i.e., zero-effort impostor attempt) as defined in ISO/IEC 30107-1”.

Return to footnote 11

Date modified:: 2024-03-06

Language selection

Search and menus

Search

Draft Guidance for processing biometrics – for public institutions

On this page

Overview

Biometric Technology

Biometric recognition:

Biometric categorization:

Guidance

You Must:

You Must:

You Should:

You Must:

You Must:

You Should:

You Must:

You Should:

You Must:

You Should:

You Must:

You Should: