Draft Guidance for processing biometrics – for organizations

Published: 2023

Target Audience: Private-Sector Organizations

Authority: Personal Information Protection and Electronic Documents Act

Issued: Office of the Privacy Commissioner of Canada

Status:

Public consultation

Analyzing feedback

Adopted guidance

Overview

In today’s digital environment, organizations are looking to facilitate more efficient access to goods and services while adapting to evolving security risks. Biometrics have emerged as one way to achieve this objective by using individuals’ unique traits to identify or authenticate them. They are often viewed as a solution in a world where individuals are increasingly asked to create and remember different passwords, and to prove their identity.

With the promise of biometrics, however, come serious concerns about privacy. Biometrics are intimately linked to an individual’s body and when used for recognition, are unique, unlikely to vary significantly over time, and difficult to change in their underlying features. These identifiers can be an enabler of surveillance, and if breached, could expose individuals to fraud and identity theft. Challenges with the accuracy of some biometric technologies have also been well-documented, which is of further concern when they are used to make automated decisions about individuals.

This document provides guidance on organizations’ privacy obligations when handling biometric information. Note that while it addresses some of the main considerations, organizations remain responsible for understanding all of their obligations under applicable laws, regulations, and instruments. For example, the province of Quebec has imposed reporting requirements to the Commission d’accès à l’information du Quebec for processes involving biometric information.

Biometric Technology

“Biometrics” refers to the quantification of human characteristics into measurable terms. They are used for recognition and, less commonly, for categorization.

Biometric recognition:

There are three main categories used for recognition:

Morphological biometrics — such as fingerprints;
Behavioural biometrics — such as keystroke patterns; and
Biological biometrics — such as DNA.

There are three general stages that encompass how biometrics are used to recognize an individual: enrollment, storage, and matching.

Enrollment: This is the first time an individual’s biometrics are collected. A scanner, sensor, microphone, camera, or other technology is used to capture the biometric. The biometric recording is usually algorithmically converted into a mathematical representation, known as a biometric template.

Storage: The biometrics obtained during enrolment can be stored locally in the operations centre where the enrolment took place (e.g. in a reader) for later use, on a device carried by the individual (e.g. on a smart card), or in a centralised database accessible by one or more biometric systems.

Matching: A “probe” biometric is collected from the individual, and is usually converted into a template to allow for an automated comparison against the previously enrolled biometric for the purposes of:

Authentication: by matching an individual’s probe biometric to the previously stored sample only (one-to-one comparison) to confirm who they are.
Identification: by cross-referencing an individual’s biometric against a database (one-to-many comparison) to search for who they are.

Many biometric systems use algorithms to perform a number of functions, including to compare two templates together and provide a similarity score. If the similarity score passes the set threshold of the system, a positive match is provided. Such algorithms learn to perform these automated functions through the use of training data, the quality of which can affect the accuracy of the overall system.

Biometric categorization:

Biometrics can be used to determine if an individual belongs to a group with a particular shared characteristic. Categorization could be based on the biometric data itself or by drawing inferences from this data. For example, the measurement of physiological responses to certain stimuli, such as pupillometry or micro-expression analysis, may be used to deduce interests or emotions, and assign an individual to a category.

Guidance

Identifying an Appropriate Purpose

Among the first steps you must take when planning your biometric initiative is specifying the purpose you are trying to achieve. You must then evaluate whether the purpose is appropriate in the circumstances. Appropriateness requires a contextual assessment, and it cannot be replaced by obtaining the consent of individuals.

To guide this assessment, you should evaluate and adjust the proposed biometric program using the following criteria:^{Footnote 1}

Do not use biometrics if you are uncertain that it would be appropriate in the circumstances. If your organization cannot explain how your collection, use, or disclosure of biometrics is rationally connected to a pressing and substantial business goal, the initiative should not go forward.

Sensitivity	Biometrics are a category of sensitive information, but some biometrics may be highly sensitive based on their innately intimate nature and/or the types of harm that could result from their misuse. You should select a suitable biometric modality that presents the least risk to the individual concerned. For example, facial recognition will generally be considered more sensitive than palm-vein scanning, which cannot be passively collected or as easily used to link data about an individual’s activities. The sensitivity of personal information, on its own, is not determinative of whether an organization is justified in its collection, use, or disclosure; however, the more sensitive the information, the greater the justification may be required for its collection, use, or disclosure.
Necessity	Demonstrate that your organization’s biometric program or initiative is necessary to meet a specific, legitimate, and defensible need. Are you using biometrics to resolve a substantial problem, such as to safeguard highly valuable assets or information? Is there evidence of considerable risk to the information? Indicate why other non-biometric options, such as two-factor authentication, are not sufficient in your context. Biometrics may not be necessary if your purpose can be achieved without using this type of information. If the underlying business or institutional rationale is to increase convenience or enhance customer experience, your biometric initiative is likely inappropriate. For example, biometrics are not necessary to facilitate access to a fitness club for those with a membership. Consider whether your needs are rationally connected to a business goal that is pressing or substantial, and document this clearly.^{Footnote 2} Personal information, including biometrics, must never be collected for a speculative or prospective purpose to be determined at a later date.
Effectiveness	Ensure that the proposed biometric program or initiative will be effective in meeting the pressing and substantial goal identified. There should be a high degree of organizational confidence that the biometric program will be effective and reliable, as a whole. There should be a clear plan of how to measure the effectiveness of the program. The program must be designed to effectively address the issue for which it is deployed. Consider the scientific and technical validity of the method or process, the accuracy of the technology and error rates, and the risk that the biometric technology could be spoofed or circumvented. Using biometric technologies for purposes that lack overall scientific validity will not be considered effective and therefore, will be inappropriate. For example, biometric technologies that purport to evaluate the trustworthiness of an individual, identify their mental state, or infer their competencies do not have scientific backing at this time. The OPC has identified as a “no-go zone” profiling or categorization that leads to unfair, unethical, or discriminatory treatment contrary to human rights law.
Proportionality	Assess whether the biometric program or initiative’s impact on privacy is proportional to the benefits gained. Will the stated purpose be more effectively achieved through biometrics than using a less intrusive option? And is this gain in effectiveness proportional to the increased level of intrusion? For example, using facial recognition would be disproportionate for the general purposes of checking-in to a hotel or maintaining security by indiscriminately extracting biometrics from video surveillance footage of individuals in a retail store. Behavioural biometrics that rely on the analysis of large amounts of behavioural data are more likely to be disproportionate than using morphological biometrics. While the loss of privacy that results from the handling of biometrics is generally high, some biometrics are particularly sensitive and may therefore result in even more significant impacts on privacy. For this loss of privacy to be proportional, the benefits of your biometric program must be commensurately high. Ensure that the biometric program is also proportional in its design — meaning it is narrowly scoped with limited actors, as opposed to broad, general, and undefined. The implementation of technical and other protective measures is an important factor in mitigating the privacy impacts of using biometrics, but adequate safeguards alone cannot render a collection, use, or disclosure of biometrics appropriate.
Minimal Intrusiveness	Assess whether there are less intrusive means of achieving the purpose other than through the collection, use, or disclosure of biometrics. Is there evidence that other, less privacy intrusive means cannot achieve the same objective? A biometric initiative being deemed more convenient than alternatives is unlikely to satisfy this requirement. For example, biometric categorization can lead to “social sorting” (i.e., associating individual data with social groups and treating them differently), a key aspect of surveillance. Such a purpose is privacy invasive and may be ethically problematic, requiring a strong justification. Further, social sorting may engage legal issues under human rights law, based on discrimination on prohibited grounds. What steps can be taken to reduce privacy intrusion as much as possible? Consider whether biometrics of a less sensitive nature could be employed or whether there are ways to limit the role of biometrics in the proposed program.

The OPC has applied these criteria to biometric initiatives in previous Report of Findings, which may be informative for completing your own assessment of appropriate purposes:

PIPEDA Report of Findings #2022-003

We found Rogers’ VoiceID program, which uses voice biometrics to authenticate account holders who phone Rogers’ customer support line, to be an effective solution to address Rogers’ legitimate need for account authentication and security in the context of the high-threat environment facing telecommunication service providers. The program presented limited identification risks when compared to other biometrics solutions, and was designed with a number of limitations, safeguards, and controls to mitigate privacy impacts.

PIPEDA Report of Findings #2021-001

In our joint investigation into Clearview AI, we determined that the company’s online scraping of images and creation of biometric facial recognition arrays from them represented mass identification and surveillance of individuals. We therefore found Clearview’s purposes to be inappropriate, particularly where they: (i) were unrelated to the purposes for which those images were originally posted; (ii) would often be to the detriment of the individual whose images are captured; and (iii) created the risk of significant harm to those individuals, the vast majority of whom have never been and will never be implicated in a crime.

PIPEDA Report of Findings #2008-389

This investigation examined the collection and use of fingerprint data from participants writing a standardized admission test for law schools, and the findings were centred around questions based in the above criteria. In this case, the use of fingerprint data was found not to be proportional to the benefit gained, and therefore not appropriate.

Consent

Once you have determined that the purpose of your biometrics initiative is appropriate in the circumstances, you need to assess how to obtain valid consent from individuals. Consent is a foundational element of PIPEDA, and is required for the collection, use, and disclosure of personal information, including biometric information, subject to limited exceptions.

A critical part of obtaining consent is to ensure that individuals have proper knowledge of how your organization will manage their personal information. For consent to be valid or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner.

You Must:

Obtain express, informed, and specific consent: You will almost always need to seek express consent for the collection, use, or disclosure of biometrics, including biometric templates. Express consent involves active rather than passive affirmation on the part of the individual — meaning not taking biometrics from individuals without their explicit knowledge.

The OPC has developed guidance on obtaining meaningful consent that provides assistance on ensuring that valid consent is obtained. Organizations must convey the consent processes and the related privacy information with user-experience in mind. Consider integrating consent into existing processes, such as enrolment or digital interfaces, as a means of providing specific information on your biometrics initiative in a user-friendly manner. While your biometrics initiative should also be described in your privacy policy, such a description, on its own, would be insufficient to generate meaningful consent.

Consent processes must explain key elements with potential impact on an individual’s privacy, including:

the type of biometric information collected;
the purpose for the collection, use, or disclosure of that information;
the parties to which the data is disclosed;
any meaningful risks of significant harm that remain despite the organization’s efforts at risk mitigation.

For example, if an organization is collecting voiceprints from callers to its customer support line, a generic statement like “this call may be recorded for identification purposes” is not acceptable to obtain meaningful consent.

Similarly, obtaining consent to collect photos or videos of an individual does not automatically allow you to extract biometrics from such media sources. You must specify the biometric collection, use, or disclosure separately.

PIPEDA Report of Findings #2022-003

In our investigation of Rogers’s use of VoiceID, we found that the company: (i) undertook the “tuning” process, which involved biometric collection, without first obtaining valid consent; and (ii) had not implemented adequate protocols and associated monitoring to ensure express consent was consistently obtained for enrolment. We further determined that Rogers did not provide a clearly explained and easily accessible option for individuals to opt out of the collection and use of their voiceprint.

PIPEDA Report of Findings #2020-004

In a joint-investigation, we found that Cadillac Fairview (CFCL) used cameras in its directory kiosks at its shopping malls to collect and use images of faces, numerical representations of each face, and an assessment of age-range and gender, without valid consent. Given the sensitive data in question, and that a visitor would not expect their image or biometric data to be collected by an inconspicuous camera while searching a mall directory, express consent was required. Simple reference to CFCL’s Privacy Policy did not support meaningful consent, and decals posted on mall entrances were insufficient, only mentioning video recordings for "safety and security" instead of the full scope of purposes for which the facial images were being used.

Not make biometrics a condition of service: Under PIPEDA, organizations can only require consent as a condition of service when the collection, use, or disclosure of personal information is integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. Otherwise, for non-integral and non-essential collections, uses and disclosures, organizations must give individuals a choice — meaning making biometrics voluntary.

Provide alternative options: Where biometric technology is used for non-integral or non-essential collections, uses, or disclosures, you must provide individuals with other means of access or participation. Communicate these options to individuals, and do not create obstacles that would hinder access to such alternatives. If you are using biometrics as a safeguard, it is likely that there are other methods of authentication you can offer to the individual, and that biometrics are not integral. Providing alternatives accommodates those who are reluctant to enroll in a biometric system as well as those who may not be able to enroll in such systems, for example because of a disability.

Ensure your collection from third parties is lawful: Where collecting biometrics from third parties is appropriate, organizations must ensure that they have legal authority to do so. Ensure proper grounding in law at every step of the data flow, from initial collection by the third party to disclosure and subsequent use by you. Where consent is required, your organization should work with the third party to design means to obtain valid consent from individuals covering both that third party’s disclosure and your collection and use.

Not assume that it is “publicly available”: An individual’s biometrics may be observable in public, but that does not mean that they are exempt from consent requirements. Photos or videos captured in public spaces, found on the internet, or on social media, may not be further processed without specific consent to extract biometric templates. Furthermore, obtaining consent to collect photographs or video is not the same as collecting consent for biometrics — consent must be specifically obtained for each purpose.

PIPEDA Report of Findings #2018-002

The OPC investigated Profile Technology Ltd., a company that reused millions of Canadians’ Facebook user profiles without their consent. A point of issue in the investigation was whether the use of personal information available on individuals’ Facebook profiles met the definition of a publication under the Regulations Specifying Publicly Available Information. In considering the scheme under PIPEDA, its objectives, and the legislature’s intent, the OPC did not accept the assertion that Facebook profile information is a publication under the Regulations.

Communicate the source databases: If using a biometric technology for identification purposes rather than authentication, disclose to the individual what databases their biometrics are being compared with or matched against. You must also obtain consent for the purpose of storing an individual’s biometrics in a database for matching. This must be incorporated into consent processes to provide individuals with an adequate understanding of the program and to allow them to properly exercise their access and consent revocation rights.

Renew consent when extending scope: Any extension of the use of biometrics must not be attempted without first obtaining the individual’s consent for the new use, unless a valid legal exception to consent applies. In this sense, organizations should not view consent as a one-time occurrence, never to be revisited. On the contrary, ensuring the validity of consent is an ongoing process and consent may require renewal as circumstances change and as organizations innovate, grow, and evolve.

Limiting Collection

Limit the collection of personal information to that which is necessary for achieving your stated purpose.

You Must:

Use authentication before identification: Authentication is based on a one-to-one match with the individual’s biometrics that they have previously enrolled, which can limit what you need to collect versus what is needed for identification to achieve accurate results. You will need specific justification if you choose to use an identification system where an authentication system is viable.

Use the minimum number of biometric characteristics needed: This includes both the amount of a single characteristic, and the combination of them. If you can meet your purpose by using points from a single fingerprint, then you must not collect prints from the whole finger, more than one finger, or use prints in conjunction with other biological or behavioural biometrics. When using biometrics as a safeguard, the number of characteristics collected must be appropriate to the sensitivity of the personal information you are protecting. The use of multi-modal biometrics must be justified in that regard.

Not copy identity documents: During the enrolment phase in a biometric system, you might choose to confirm the individual’s legal identity using documents like government-issued IDs. Identity documents used for this purpose must, in most instances, only be viewed, instead of copied and retained.

Where identity documents are used to perform facial recognition against a live selfie to authentication someone for online services, such as through a mobile app, immediately delete copies of such documents once authentication has been performed.

PIPEDA Report of Findings #2010-007

In an investigation regarding the Medical College Admission Test (MCAT), the OPC concluded that there were less privacy-invasive means to meet the Association of American Medical Colleges’ (AAMC) purpose of preventing exam fraud. The AAMC agreed to limit the personal information that it collects, and to only collect and retain fingerprint information in a digital format, which was to be converted into unique digital templates composed of a string of alpha/numeric characters and held securely. The OPC was satisfied that this outcome effectively addressed concerns with respect to both privacy and AAMC’s need to protect the integrity of the high-stakes MCAT exam.

You Should:

Seek to keep the template in the individual’s control: There are different template formats that vary in how much control they provide to the individual. You should strive to keep the template in the individual’s control so long as that is the most secure option while allowing you to achieve your identified purpose. For example, you could store it on a device or token in their possession. You should avoid creating large centralized databases of biometric data, which in the event of a breach, can increase the likelihood of cross-system compromise, imposter access, and source system and physical security compromise. You could also adopt a model where you store the template and it is only activated under the control of the individual. If you decide to maintain sole control of a template, you should have a compelling reason for doing so, such as a determination that this is the best way to safeguard the data or the only way to achieve your purpose.

Limit its technical capability: As a design choice, you should consider biometric systems that do not contain additional features that enable broader collection of personal information than that required to fulfill your specific purposes. For example, in our joint-investigation of the Cadillac Fairview Corporation Limited, it was found that a software called FaceNet was enabled to collect unique numerical representations of individuals’ faces, but that information was not needed for CFCL’s purposes.

Limiting Use, Disclosure, and Retention

Under PIPEDA, biometrics must only be used for the purposes for which the information was collected or obtained, with few exceptions. This applies both to biometrics already contained in a ‘matching database’ as well as to the probe image collected from the individual in question. PIPEDA also identifies limited purposes for which personal information can be disclosed without consent.^{Footnote 3}

You Must:

Not analyze biometrics for secondary purposes: Some biometrics can reveal secondary information, such as that related to health, ethnicity, or biological relationships. You must not analyze biometric data to extract such additional information not originally consented to, and even then, only if appropriate.

Keep a tight circle: You must design a biometric system where disclosure to third parties is not needed. An extremely strong justification would be required to disclose biometrics. In systems where biometric information must be shared with others, the parties with whom it is disclosed should be very limited. Refer to the “Accountability” section to learn more about your responsibilities in ensuring third parties do not abuse information.

De-link across systems: The biometrics system provider must guarantee that the stored data cannot be linked across different implementations of the system, such as those offered by third party vendors. You must not link biometric databases used for one purpose, with other unnecessary personal information that is not needed for that purpose.

Limit retention: Biometric information must only be kept for a period necessary to fulfill your stated purpose and any legal obligations, after which it must be permanently destroyed from all locations, including devices, cloud storage, and back-ups. In previous decisions involving biometric systems, the OPC found that the appropriate data retention period depends on the context. For fingerprint digital templates collected from test takers, for example, a period of 5 years was appropriate since this matched the validity of the test results.^{Footnote 4} For voiceprints collected from employees, retaining the biometric data for one month after the employee left the organization was found to be appropriate.^{Footnote 5}

Distinguish retention of biometrics from other personal information: Biometrics serve a specific purpose and should not be lumped with a retention schedule of other non-biometric information, especially when that non-biometric information may be needed for a longer period of time but the biometrics information is not.

Destroy raw biometric data used to create a template: Raw biometric data that is collected for the purpose of creating a biometric template must be destroyed as soon as the template has been created.

Delete biometric information upon request: If an individual withdraws consent for your use of biometric information, then delete all the biometric information you have collected about them, including any personal information you have created using analysis, unless otherwise required by law. You must also request the same from third parties with whom you may have shared the information.

Safeguards

Biometrics can help organizations secure personal information against impersonators and can thereby prevent social engineering attacks, fraud, and identity theft. However, this only remains an effective option if an individual’s biometric information itself can be protected from breaches and can be trusted to be accurate as to an individual’s identity. Otherwise, biometrics can contribute to the problem you sought to resolve. Security safeguards are therefore of utmost concern, given that individuals are left with few options to protect themselves if their biometric information is compromised.

Safeguarding refers to measures to protect personal information against loss, theft, or any unauthorized access, use, disclosure, copying, or modification. Under PIPEDA, organizations are responsible for protecting personal information with security safeguards appropriate to the sensitivity of the information and degree to which it may be at risk. As a result, biometric data must be stringently protected with a higher level of security safeguards.

Biometrics, like other types of personal information, are not immune to breaches.

More specifically, they are vulnerable to spoofing attacks, where false biometrics are presented to fool biometric systems into providing a positive match. Deep learning and neural network technology can be used to create convincing fabrications of an individual’s biometrics to thwart identification technology. The rising use of deepfakes, voice synthesis, and other impersonation techniques using biometric information could also be used to compromise individuals’ accounts or identity.

You Must:

Use physical, organizational, and technical measures to safeguard against the different ways a breach could occur. Review and update security measures regularly to address evolving security threats and vulnerabilities.

Implement controls for personnel access: Only make biometric information accessible to those employees who truly need it in the context of their work. Consider having a permission system in place to review requests and grant access.
Keep track of access: Oversight is important to ensure that sensitive information is not mishandled. Maintain digital logs of each time designated personnel access the biometric information you retain. Review the retained logs routinely to ensure that employee searches are legitimate and related to a business need. You must investigate organizational privacy incidents, including employee snooping.
Encryption: Use end-to-end encryption technology to secure biometric information throughout all stages of its lifecycle, including its storage but also its transmission.

PIPEDA Report of Findings #2022-003

We noted in our Rogers’ VoiceID report of findings that voiceprints were well safeguarded. Voiceprints were stored in an encrypted and proprietary format on Canadian servers under Rogers’ control. Rogers confirmed that no third parties had access to the voiceprints for any purpose. Rogers further advised that access to the database was restricted to its Voice ID administration team, and that the voiceprints could not be used outside of their system. Our review of software documentation confirmed that the FreeSpeech solution was deployed by its customers and is not centrally managed, accessible to, or controlled by Nuance. Additionally, our review confirmed that voiceprints were signed using an encryption key unique to the specific instance of FreeSpeech, to protect from use in other programs or in other FreeSpeech implementations.”

Prevent spoofing and presentation attacks: Spoofing refers to the ability to fool a biometric system by applying fake or replicated biometrics — such as a photograph or mask of the target individual’s face to bypass facial authentication. When biometrics are used as a safeguard to protect other personal information, they must be effective at doing so and not be susceptible to spoofing. Liveness detection is one option to prevent many forms of spoofing, but not all liveness detection methods offer the same level of protection.^{Footnote 6}

Consider specific technical attack methods: You must anticipate and analyze the risks of unauthorized access and unwanted modification if you hold biometric data. There are different types of attacks that are specifically designed to circumvent biometric systems,^{Footnote 7} including hill-climbing and wolf-attacks.

“Hill-climbing” refers to an algorithmic attack where a synthetic biometric template is matched continuously against a stored template and is iteratively modified until it positively matches with the stored template. This method relies on a matching score to be communicated so that the modifications to the synthetic template are based on an increasing similarity with the stored template. Therefore, you should not communicate a matching score publicly, and limit the number of biometric authentication attempts.
“Wolf-attacks” refer to a biometric “wolf” sample that can function like a master key to successfully match to multiple samples.^{Footnote 8} The use of wolf attack probability testing and detection can help you safeguard against such attacks.

Conduct testing and vulnerability assessments: Regularly assess the vulnerability of your biometric system to ensure that your safeguards continue to be effective over time, and to identify vulnerabilities. The testing needs to include variables that depend both on the system’s design and installation, the biology of the tester, and the known vulnerabilities of the biometric modality or modalities chosen.

Report breaches: When sensitive biometric information is subject to a privacy breach, there is a high likelihood that the breach creates a real risk of significant harm to affected individuals. Therefore, breaches involving biometric information will meet the private-sector threshold for mandatory reporting to the OPC and to affected individuals.

You Should:

Be proactive: It is more effective to build privacy safeguards into the fabric of a biometric initiative than to try to add them in later. This includes the entire lifecycle of an activity: design, implementation, evaluation, and dismantling.

Use cancellable biometrics: You should convert biometric data into templates that do not reveal permanent features of an individual’s biometric profile. You can do this by using “cancellable” templates that distort data to prevent it from being converted back into the original biometric information. This would allow multiple templates to be associated with the same biometric data, so that templates can be revoked (like a password) if they are compromised. The template should also be unlinkable, so that different biometric templates belonging to a single individual cannot be linked together. Consult technical experts and the latest research around these methods to learn how to implement them in your context.

Use Privacy Enhancing Technologies (PETs): Methods such as homomorphic encryption can be used to conduct biometric matching without needing to decrypt the biometric template. For more information about PETs, read our report.

Specialized security modules: You should consider using specialized security modules for the storage of biometrics. You should also consider making the extraction of biometric templates unique to your biometric system, such that it cannot be used by others.

Avoid transmitting biometrics over the internet, if possible but through enrolment devices directly connected or integrated with the IT systems.

Use multiple factors: Multifactor authentication is often described as combining something you know (such as a password), something you have (such as a card or token), and something you are (such as a fingerprint). Where the use of biometrics is appropriate, you should use it in combination with at least one other factor to improve accuracy and protect against attacks.

Use active versus passive biometrics: For example, active voice biometrics refers to when the individual must create a passphrase, which the software analyzes to create a voiceprint, targeted to the phrase. This is a form of multi-factor authentication. This is in contrast to passive voice biometrics where recognition software runs in the background on all speech and does not require the individual to say a specific phrase.

Choose the right modality: Be aware of your choice of biometric and the accompanying technology. For example, fingerprints can leave latent marks that can be lifted by malicious actors. Some modalities may also be easier to spoof than others.

Separate biometrics from other personal information: You should store any biometric information about an individual separately from other identifying information about them, to avoid building an unnecessary profile about an individual. This reduces the risk of harm in the event of a breach.

PIPEDA Report of Findings #2011-012

In the case of the Graduate Management Admission Test palm-vein scanning technology, the OPC found that the palm-vein scans were immediately transformed into an encrypted binary template, which could not easily be applied to other purposes, and were stored separately from any other personal information about the test taker. This was found to be a suitable measure in managing information sensitivity in the circumstances.

Accuracy

Biometric systems used for authentication or identification are typically used to make an automated decision about an individual, such as to obtain access to certain locations, or receive a good or service to which they are entitled. As a result, false positives and negatives can significantly disrupt an individual’s life and potentially violate their human rights. You must take every reasonable effort to ensure accuracy in your biometric system.

Under principle 6 of PIPEDA, personal information shall be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used. This includes being sufficiently accurate, complete, and up to date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

You Must:

Consider if biometrics are fit for purpose: Organizations must consider whether the biometric system is an appropriate mechanism to achieve their purpose, taking into account the environment and context in which their proposed use of biometrics will take place. For example, systemic errors in a biometric system can result in the capture of inaccurate information, particularly when not adjusted to reflect the diversity of the population.

Choose a technology with suitable accuracy rates: Some biometric technologies are more accurate than others. For example, systems based on morphological biometrics can result in higher accuracy rates than behavioural biometrics. While many biometric systems have low failure rates, a small number of errors can become significant when the system is scaled up. The impact of inaccuracies can also depend on the nature and significance of the decisions being made. It is your responsibility to ensure conformity with relevant accuracy testing standards,^{Footnote 9} including conducting your own accuracy testing or obtaining an independent evaluation, and choose biometric systems with error rates that are appropriate and acceptable in the circumstances. You will need to demonstrate a higher level of accuracy when the consequences of errors for individuals are greater.

Ensure accuracy at enrollment: You must take reasonable steps to check and maintain the accuracy of the biometrics. Biometric recordings and templates must be accurate at the enrolment stage, including clear images, free from obstruction or other anomalies that would interfere with an individual’s authentication or identification later. You must ensure that the template is assigned to the correct individual, and account for the time elapsed since the biometric was enrolled to account for issues related to aging.

You Should:

Put quality over quantity: Poor quality of captured biometrics can lead to accuracy challenges. You should only use captured biometric information of high quality. This also allows you to better meet the limiting collection requirement, as poor-quality biometrics may lead you to over-collect them to create a functioning template. Improved equipment and standardized collection practices (that account for elements such as image resolution, lighting, and placement) can help reduce the number of mistakes.

Develop a procedure for dealing with false matches: Although biometric systems must be designed to ensure accuracy, you should be prepared for your system to provide false positives, false negatives, and non-matches. In such cases, you should offer an alternate identifier in a timely manner, resolve the issue so that it does not recur, and ensure that such errors do not result in systemic biases. There should be human intervention and review of significant decisions made based on biometrics as part of this process in order to offer redress. Biometric decision-making should be subject to a fair process to allow such decisions to be contested and reviewed.

Have an even higher accuracy threshold when using biometric categorization: Biometric systems that assign an individual to a category and sort them accordingly should be carefully assessed and scrutinized with regards to the categories that are used, whether they are able to accurately reflect the diversity of the individuals who will be captured by the biometric system, and the overall reliability of this feature. Consider that individuals also have rights to access and correction.

Accountability

You are responsible for the personal information under your control.

You Must:

Comply with all ten principles listed in Schedule 1 of the Act.
Appoint someone to be responsible for the organization’s PIPEDA compliance and to whom individuals can ask questions.
Protect all personal information in the possession or custody of the organization, including any personal information transferred to a third party for processing.
Develop and implement policies and practices to give effect to PIPEDA’s principles.
Ensure breach reporting for any breach that poses a real risk of significant harm to individuals.

You may decide to use the expertise of an external organization to set up and administer your biometric program and give them access to biometric information through that system. If you do so, you must use contractual or other means to ensure a comparably strong level of privacy protection while the information is being processed by that third party. That is, irrespective of where the third party is located, you must be satisfied that the third party has policies and processes in place to ensure that the information in its care is properly safeguarded at all times in accordance with the high standards required for biometrics. You must not transfer biometric data outside of Canada unless there is a contract providing comparable protection.

Integrate the ability to audit contractors: Where biometrics are concerned, organizations must almost invariably integrate the right to audit and inspect how the third party handles personal information into the contract and include measures to address non-compliance.

Provide employees with the proper knowledge and support: You must ensure that employees of your organization who are responsible for managing biometric data are provided with the proper training, guidance, and supervision to perform their duties.

You Should:

Develop robust breach plans: In the event of a privacy breach of biometric information, you will likely be required to report it to a number of parties within short timelines. You will also be required to maintain records of all breaches. To be prepared for a breach scenario, you should develop robust, efficient, and detailed procedures related to reporting mechanisms and any remedial actions to be taken. The OPC has developed guidance for responding to a privacy breach for organizations.

Demonstrate accountability: You should stand ready to demonstrate your compliance with applicable privacy law(s) to regulators. You should be ready to show records such as how the system was designed, and the steps you took to ensure it was protective of privacy. Developing a Privacy Management Program is an excellent way to prepare.

Consider consulting the OPC: If you are still unsure about your biometric program, consider contacting the OPC’s Business Advisory Directorate for additional advice.

Openness

Be open and transparent with individuals about how you manage personal information.

You Must:

Post the privacy policy: You must make your policies and practices governing biometric information readily available to individuals, and in an understandable form. This must include the types of biometric information you manage, the ways they are used, retention periods, any other jurisdictions where the information is stored, security safeguards used, and what third parties or subsidiaries the information is disclosed to, if any, and why.

Provide your policies and practices to individuals before you ask them to enroll their biometrics in your system. Give them sufficient time and opportunity to review the practices in full before seeking their consent and collecting their biometrics.

Inform individuals about transfers to service providers: You must make readily available to individuals information about service providers that you use to process biometric information on your behalf. When a service provider is located in a foreign country, you need to inform individuals of the risk that their personal information may be lawfully accessed by law enforcement and national security authorities under the laws of that country. This must be done in clear and understandable language, ideally at the time the information is collected. You should also provide clear information related to any risk of harm and other consequences resulting from a transfer to a service provider.

Be specific about the uses of biometrics: Your policies and practices must contain details; they cannot just state that you will use biometric information for “anti-fraud purposes” or “account management purposes”. You must outline how your specifically identified purpose is achieved using the biometric information, how it will be stored, and whether biometrics are compared against databases.

Provide the contact information of the person accountable: You must provide the name or title and contact information of the person accountable for your organization’s policies and practices, to whom inquiries and complaints can be made.

You Should:

Be transparent about legal obligations: You should communicate to individuals up-front, where possible, about situations where you are unable to delete personal information upon request based on other legal obligations. You should also explain this in response to any deletion request, citing the relevant legal provision.

Be specific about service providers, wherever possible: In the spirit of being open with individuals, you should name the service provider(s) that you transfer biometric data to. While organizations remain accountable for their use of service providers, this information allows interested individuals to know where their sensitive information is going.

Explain automated decisions: Be prepared to provide individuals who may have been subject to an important automated decision using biometrics with information about the key details of the biometric system — such as the confidence interval used by the system, the probe biometric that was relied upon, and any other likely reasons for an outcome.

Footnotes

Footnote 1

These criteria are derived from a set of factors considered by the Federal Court in Turner v Telus Communications Inc, 2005 FC 1601 (CanLII) (Turner v Telus) in evaluating an organization’s compliance with subsection 5(3) of PIPEDA (endorsed on appeal). While this case arises from the workplace context, the Court’s analysis is still applicable to organizations using biometrics when engaging in commercial activities.

Return to footnote 1

Footnote 2

The necessity of biometrics has been considered in the employment context under PIPEDA. In Turner v Telus, supra (and as affirmed in Wansink v Telus Communications Inc, 2007 FCA 21 (CanLII)), the Federal Court found that Telus’s use of employee voice prints for identity verification purposes to access and use an internal computer network was appropriate in the circumstances, within the meaning of subsection 5(3) of PIPEDA.

Return to footnote 2

Footnote 3

Subsection 7(3) of PIPEDA.

Return to footnote 3

Footnote 4

PIPEDA case summary #2010-007.

Return to footnote 4

Footnote 5

PIPEDA case summary #2004-281.

Return to footnote 5

Footnote 6

Liveness detection is used to distinguish a person presenting their biometrics in real-time from non-live recordings of them, such as a photo, to bypass the system. Different techniques and technologies are being developed to increase accuracy and anti-spoofing. You should consult with experts and select the method that offers the best protection.

Return to footnote 6

Footnote 7

See for example, Ann Cavoukian, Alex Stoianov, and Fred Carter in IFIP International Federation for Information Processing, Volume 261; Policies and Research in Identity Management; Eds. E. de Leeuw, Fischer-Hübner, S., Tseng, J., Borking, J.; (Boston: Springer), pp. 57–77.

Return to footnote 7

Footnote 8

Huy H. Nguyen, Junichi Yamagishi, Isao Echizen, and Sébastien Marcel, “Generating Master Faces for Use in Performing Wolf Attacks on Face Recognition Systems” Proceedings of the 2020 International Joint Conference on Biometrics, Houston, USA.

Return to footnote 8

Footnote 9

See, for example, ISO/IEC 19795, Information Technology – Biometric Performance Testing and Reporting; and NIST Special Publication 800-63B, Digital Identity Guidelines where biometric verification systems “shall operate with an FMR [“false match rate”; ISO/IEC 2382-37] of 1 in 1000 or better. This FMR shall be achieved under conditions of a conformant attack (i.e., zero-effort impostor attempt) as defined in ISO/IEC 30107-1”.

Return to footnote 9

Date modified:: 2024-03-06

Language selection

Search and menus

Search

Draft Guidance for processing biometrics – for organizations

On this page

Overview

Biometric Technology

Guidance

You Must:

You Must:

You Should:

You Must:

You Must:

You Should:

You Must:

You Should:

You Must:

You Should:

You Must:

You Should:

Footnotes