By Jan Dhont
Student Privacy Comes Into Question
The Belgian Privacy Commission has finally issued its guidelines on the processing of biometric data (Opinion nÂ° 17/2008 of April 9, 2008). The guidelines were published almost five years after the Article 29 Working Party adopted its Working Document on biometrics (WP 80 of August 1, 2003). The guidelines contain crucial guidance to facilitate the use of biometrics in compliance with Belgian data protection law. They also confirm a trend of increasing market penetration of biometric products and services as well as an acceptance by the commission of biometric systems as a "strong and reliable authentication method for access control."
The commission highlights the following requirements and guidelines:
- Provide special notice to individuals containing information such as (i) a description of the type of the biometric device(s) deployed, (ii) the existence of the system's error band, and (iii) the procedures to be followed in case of recognition failures.
- Preferably obtain the individual's consent to deploy biometric systems (other legal grounds are available but are less solid).
- Biometric data should be removed from systems if such data is no longer relevant (e.g. biometric data of users who have no longer access rights should be removed from information system as soon as possible).
- Avoid the central storage of biometric "reference-information" (e.g. iris scan; fingerprint; etc.) and promote the storage of such data on secured individual carriers (e.g. a chip-card held by the data subject).
- Avoid the storage of biometric data as "raw data" (e.g. an image of a fingerprint or iris), but store it as "templates" (i.e. a sequence of symbols or numbers based upon the processing of the raw data or a biometric element).
- Avoid covert biometric data processing.
- Implement robust technical and organizational security measures to accommodate biometric data processing. These information security measures include, for instance, the storage of the reference-information in a secured environment and the use of high-end encryption technology.
Whereas the Article 29 Working Party favors the prior checking of biometric data processing by the national data protection authorities, a prior authorization is not required in Belgium (this is, however, different from other EU countries, such as France and Luxembourg). Notification of the DPA is, however, required by the system user.
The commission also announced a follow up on recent developments regarding biometrics for the use of border protection and law enforcement at the European level.
The opinion, which also describes the different ways of collecting and comparing biometric samples, can be found at: www.privacycommission.be/ nl/docs/Commission/2008/advies_17_ 2008.pdf (in Dutch) or www.privacycommission.be/fr/docs/Commission/2008/avis_17_2008.pdf (in French).
Jan Dhont is a partner at Lorenz in Brussels. Reach him at firstname.lastname@example.org.