By Jay Cline, CIPP

If you walk into a test center in Europe to take the Graduate Management Admission Test (GMAT), chances are you'll need to scan one of your palms to get in. Used by the Graduate Management Admission Council (GMAC)--publisher of the GMAT--to combat various types of exam fraud, palm vein recognition has been proven to be one of the most accurate and least intrusive forms of biometric authentication. But without GMAC's pioneering efforts to work with EU regulators, palm-vein recognition would still be science fiction for most Europeans.

"It's just not part of European culture," Allen Brandt, CIPP, GMAC corporate counsel and chief privacy official and IAPP board member, told Inside 1to1: Privacy, "Even the bar exam in Italy doesn't collect fingerprints."

Who is GMAC?  Based in Reston, Virginia, the 125 employees of this nonprofit serve 265,000 test-takers each year. These students seek admission to 1,900 graduate schools in 111 countries, including many of the leading universities in Europe and throughout the world. The GMAT's 50-year track record of predicting who will be most successful in graduate school has helped make it the most globally recognized entrance exam.

It was the global dataflows of the GMAT that put the nonprofit on a course leading to the European data protection authorities (DPAs). When Brandt joined GMAC in early 2006, the organization had just transitioned its test delivery to Minneapolis, Minnesota-based Pearson VUE, which operates more than 5,000 test centers in over 165 countries. During the transition, GMAC conducted a privacy impact assessment (PIA) on the GMAT.

According to Brandt, GMAC's PIA process is part of its "privacy by design" approach of incorporating privacy into every new GMAC initiative. "We've moved to an all-opt-in regime for all of our services," Brandt said.

The GMAT PIA told GMAC that it needed to register its exam data practices with 27 EU member state DPAs. Brandt soon found that this was a complex undertaking, varying from country to country. "The UK provided a simple online form," he explained, "but we had to wait for the CNIL (France's DPA) to vote on our in-depth submission."

GMAC obtained all of its necessary approvals for the GMAT exam 30 months after beginning. "We had no problems beginning to test anywhere," Brandt said. But that was the easy part.

At the same time GMAC began registering the GMAT with EU DPAs, it decided to pursue a separate approval path for its sponsorship of biometrics in Pearson VUE test centers. Brandt explained that GMAC calculated that its collection of photographs and fingerprints--Pearson VUE's biometric approach at the time--could require more explaining and follow a longer approval process.

A turning point took place at a January 2007 meeting in London with Phil Jones of the UK Information Commissioner's Office. Along with GMAC representatives were Mark Poole of Pearson VUE and Eduardo Ustaran, partner at London-based Field Fisher Waterhouse. Jones recommended that in order to get broad approval for biometric use, GMAC should deploy a method that captures a biometric imprint that is unique to Pearson VUE and that properly accommodates European concerns about data protection. EU DPAs would resist methods, he warned, that would allow "function creep" over time. Indeed, a year later, the Belgian privacy commissioner released an opinion that established the high standards it would require in approving biometric authentication schemes.

After the meeting, GMAC and Pearson VUE took the advice to heart. Pearson's team conducted a review of available biometric technologies and zeroed in on palm-vein recognition. They found it more stable over time than fingerprinting, more accurate than facial recognition and less invasive than iris or retinal scanning. For its part, Pearson VUE worked with its vendor, Fujitsu, to incorporate European data-protection considerations into its implementation of palm-vein recognition.

"While we're a data processor from the EU perspective," said Michael Nealis, chief security and data privacy officer for Pearson VUE, "we leverage modern technology and position our operations to help clients meet their global regulatory obligations."

How does palm-vein recognition work? When exam candidates arrive at a test center to take a test, a test administrator requires them to present government-issued identification. Next, the candidates place both palms over a small, one-square-inch cube that records their unique vein patterns. This video shows the process. The palm-vein patterns are converted into a non-reversible, encrypted biometric template and then securely transmitted to Pearson VUE's hub.

With the palm-vein template created, candidates can later simply scan their palms to retake a test at any Pearson VUE test center around the world. The system ensures with a high degree of accuracy that only the legitimate candidate is allowed to take the test. Additionally, in the unlikely event that unauthorized parties were to gain access to the palm-vein templates, the templates would be unidentifiable and of no use outside the test centers.

Armed with this new approach to authentication, GMAC began anew its EU-registration efforts. GMAC detailed the critical role that biometrics play in reducing exam fraud, especially with regard to test-taker impersonation and similar schemes to commit fraud using false identities. Its efforts paid off. In June 2009, the CNIL issued a press release approving GMAC's palm-vein recognition scheme. The CNIL stated:

"[T]he palm vein of the hand, with the current state of technology, is a no-trace biometry. In view of this, it is not likely to be captured without the knowledge of the person concerned and, therefore, presents very little risk for the civil liberties and fundamental rights of the individual. It may, therefore, be used to combat identity fraud when recourse to a system of this type is justified by genuine reason and surrounded by the appropriate guarantees."

Hewlett-Packard and the IAPP cited this landmark approval in November 2009 when they awarded GMAC with the 2009 Privacy Innovation Award for Small Organizations.

What advice would Brandt give to other organizations needing to register their data practices with EU DPAs?

"Two things," he said. "Start planning early. It takes longer than you probably think."

"It would also be helpful," he added, "to find the right counsel in each country. It made a huge, huge difference for us."

Because of GMAC's efforts, other organizations have a template to follow in demonstrating how business objectives can be met with advanced biometrics without sacrificing privacy.

Jay Cline is president of Minnesota Privacy Consultants, the winner of the 2010 Privacy Innovation Award for Small Organizations.

For more on the topic of biometrics and data privacy, read "Ubiquitous biometrics" from the June issue of the IAPP's Privacy Advisor member newsletter. (IAPP member login required.)


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Are You Ready for the GDPR?

Check out the IAPP GDPR Readiness Assessment Powered by TRUSTe and find out where you stand when it comes to GDPR compliance.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

The IAPP Asia Privacy Forum Returns

Delivering inspired education and discussion on the top data protection issues of today, you can’t miss it. Register now.

P.S.R.: Lewinsky to Explore Online Shaming

With three stellar keynotes confirmed, incl. Monica Lewinsky, we’ve opened registration early so you can secure your spot now.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»