Ducks overlooking outside scenery on bridge.

UK ICO publishes draft biometric data and technologies guidance for public consultation

Published on 24 October 2023

The question

What are the key considerations which the Information Commissioner’s Office (ICO) proposes organisations should be aware of when implementing biometric recognition systems?

The key takeaway

The ICO’s draft guidance on biometric data and biometric technologies (Draft Guidance) outlines the ICO’s proposal for how it will regulate the use of biometric data and biometric recognition systems in the future. It follows that any organisation with a vested interest in the development and regulation of biometrics should review the Draft Guidance and consider providing feedback to the ICO’s public consultation by 20 October 2023.

The background

On 18 August 2023, the ICO published the first phase of the Draft Guidance and opened it up to public consultation. The Draft Guidance aims to build on the ICO’s two previous reports on biometric technologies which were released on 26 October 2022. The ICO’s two reports entitled: “Biometrics: Insight” and “Biometrics: Foresight”, examined recent trends and developments in biometric technologies and explored the opportunities and challenges which various sectors (eg finance, wellness, and education) could face over the course of the next five to seven years due to the predicted increase in their use of biometric technologies. The reports raised concerns about the impact that the increased use of biometric technologies could have on the ability of these sectors to comply with the fundamental principles of UK GDPR.

The reports also highlighted key areas which required further clarification with respect to biometric data and biometric technologies including definitions and terminology, the management of “high risk” biometric systems, and the processing of “ambient data”.

The development

The first phase of the Draft Guidance examines key data protection concepts, explores “biometric recognition systems” and sets out the key data protection requirements which the ICO expects organisations to consider when implementing biometric recognition systems.

Key data protection concepts

In order to determine whether “personal data” can be categorised as “biometric data” under UK GDPR, the Draft Guidance provides that “personal data” is only “biometric data” where it:

  • relates to someone’s behaviour, appearance, or observable characteristics (eg their face, fingerprints, or voice)
  • has been extracted or further analysed using technology (eg an audio recording which is analysed using software to detect tone or pitch, and
  • allows the individual to be uniquely identified (recognised) from it.

The Draft Guidance notes that, even where the data being processed does not meet the above criteria, it is still necessary to determine if it constitutes “personal data”, as data protection requirements will still apply in that instance. The Draft Guidance also draws a distinction between the definitions of “biometric data” and “special category biometric data”. “Biometric data” allows an individual to be uniquely identified from it, whereas “special category biometric data” is when biometric data is used for the purpose of uniquely identifying an individual. According to the Draft Guidance, this means that, where the purpose (ie the intention) behind processing personal data related to an individual’s characteristics is to uniquely identify that individual (eg by comparing it to other individual’s biometric data as part of an identification or verification process), then it constitutes “special category biometric data”.

Biometric recognition systems

The Draft Guidance sets out what it means when referring to “biometric recognition systems”. It states that “biometric recognition” is where an individual’s biometric data is used for identification or verification purposes. Further, the Draft Guidance provides that:

  • identification refers to a one-to-many matching process where the biometric data of one individual is compared to that of many to find a match, and
  • verification refers to a one-to-one matching process where the biometric data of one individual is compared against a stored biometric record to verify that they are who they claim to be.

Given the above definitions of “biometric data” and “special category biometric data”, the Draft Guidance provides that, whenever an organisation uses a biometric recognition system, it will:

  • initially be processing personal data
  • then it will, by default, be processing biometric data as the personal data collected will obey the three-pronged criteria under “Key data protection concepts” above, and
  • lastly, it will process special category biometric data from the moment it intends to use the biometric data it has collected to perform an identification or verification process.

Key data protection requirements

The Draft Guidance details the data protection requirements which controllers and processors must comply with when processing biometric data and special category biometric data. In particular, the Draft Guidance notes that, when using this data:

  • data protection laws must be complied with, and this must be able to be demonstrated
  • a data protection by design approach must be adopted such that biometric data is protected in all systems, and only processors which provide sufficient guarantees of their adoption of data protection by design, should be utilised
  • a data protection impact assessment (DPIA) should be carried out before using a biometric recognition system as it is highly likely that its use will result in a high risk to the rights and freedoms of individuals, and
  • it is likely that the only valid condition for processing special category biometric data is explicit consent, but this will depend on the specific circumstances and justification being relied upon.

To assess whether an organisation needs to conduct a DPIA, the Draft Guidance refers to the ICO’s “examples of processing likely to result in high risk”. Further, when considering how to adopt a data protection by design approach, see our analysis of the ICO’s guidance on “privacy in the product design lifecycle” in our Summer 2023 Snapshot.

Why is this important?

The Draft Guidance is another demonstration of the ICO’s commitment, under its ICO25 strategic plan, to empowering organisations to use information responsibly, enabling them to invest and innovate in the adoption of new technologies. As this is the first phase of the ICO’s guidance on biometrics, and it is open to public consultation, this presents organisations with a vested interest in biometrics with an important opportunity to feed into how the ICO will regulate the use of biometric data and biometric recognition systems in the future. Organisations can respond to the consultation by completing the ICO’s MS Forms survey, or emailing their responses to The consultation is open until 20 October 2023.

Any practical tips?

All organisations which are using, or considering the use of, biometric recognition systems should consider the key data protection requirements flagged by the ICO in the Draft Guidance. In tandem, it is worth reflecting on the importance of data protection by design, and the ICO’s new “Innovation Advice Service”. While this service is currently in Beta, it provides a forum for organisations which are trying new or innovative steps with personal data, to ask the ICO specific questions with a view to solving any data protection issues that are holding up their product’s or service’s development. Lastly, it is important that those considering implementing innovative biometrics technologies take a holistic view of the technologies they are looking to implement, and consider these in light of the ICO’s other guidance such as the ICO’s guidance on AI and data protection (see our Summer 2023 Snapshot).

Autumn 2023