MasterCard recently announced that it is going live with biometric payment authentication in certain European markets with a worldwide launch expected in 2017. In brief summary, mobile payments are authenticated through either facial or fingerprint biometric recognition, which is delivered through a corresponding app.
The use of biometric data is increasing as people are introduced to and adapt to using their unique body identifiers for authentication purposes (i.e., accessing iPhone though fingerprint). But achieving user buy-in is only part of the equation from an information management perspective, as once the practice is adopted the company utilizing the technology faces a variety of factors.
By its very use, authentication requires that a template or sample be stored from which future instances can be compared against. For that purpose, the initial onboarding process collects a sample, which is analyzed and stored (generally) as raw data or a mathematical representation of distinct characteristics of the sample provided. This means that the system storing the representative sample has to recall that information for comparison purposes when authentication occurs. In other words, there is a connection between the device authenticating and the storage system where the biometric sample is stored, triggering security obligations.
As the biometric sample is particular to an individual, that information will at a minimum fall under the scope of personal information, and in some cases, sensitive personal information. Dependent on the type of classification, there are different duties and obligations that attach for security, workflow processes and other pertinent considerations. These are best handled via a privacy impact assessment, which should occur prior to adoption of the system(s) being considered.
From an enterprise information management perspective, it is important to understand the types of biometric data retained and the disposal of such data when no longer in use e.g., customer cancels credit card, employee leaves, etc. This will weigh heavily on the scope of consent obtained at the time the biometric data was initially gathered. In addition, as the use becomes more prevalent and over-reaches occur, laws will continue to pass or amended/modified to account for the use, security and retention of such information. By way of example, in Texas, use of “biometric identifiers” for a commercial purpose requires receipt of consent, obligates the party capturing to adequately protect that information and to destroy such data within one year, outside of certain exceptions.
In conclusion, there are many aspects of managing biometric data in the corporate environment and a few of those are captured above. If your company is considering use or has implemented biometric authentication here are some questions to ask to get you started:
- What types of biometric data is being captured and why?
- Was consent obtained and did the consent convey the scope of use?
- Before onboarding the system, was a privacy impact assessment conducted?
- Who has access to the biometric data and is that access necessary to fulfill or execute a job function?
- Does the retention schedule account for the biometric data?
- How is the biometric data being stored?
- Are there laws in the jurisdiction where biometric data is being captured or stored that govern its use and destruction (g., Texas) and is the company’s practice in line with those laws?
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.