Biometric recognition
At a glance
- Biometric recognition describes when you use biometric data to uniquely identify someone.
- It is a term used in industry standards and isn’t defined in data protection law.
- Biometric recognition uses personal information, biometric data and special category biometric data.
- If you are using a biometric recognition system, you are processing special category biometric data.
In detail
- What do you mean by "biometric recognition"?
- How do biometric recognition systems work?
- What can we use biometric recognition systems for?
- Do biometric recognition systems use personal information?
- Do biometric recognition systems use biometric data?
- Do biometric recognition systems use special category biometric data?
What do you mean by "biometric recognition"?
“Biometric recognition” is not a term defined in data protection law.
Biometric recognition, as defined by the International Standards Organisation (ISO) in ISO/IEC 2382-37:2022(E), refers to the automated recognition of people based on their biological or behavioural characteristics. This aligns closely with the definition of special category biometric data in the UK GDPR.
If you use a biometric recognition system, you are using biometric data to uniquely identify someone. So, “biometric recognition” encompasses all situations in which biometric data is special category biometric data.
In this guidance, we use the term biometric recognition because:
- it aligns with the definition of processing special category biometric data;
- some readers are likely to be more familiar with the ISO’s definition than the scope of processing special category biometric data; and
- our previous work on biometrics found that a lack of clarity in terminology was causing confusion around how data protection law applied to biometric data.
Further reading
- ICO biometrics reports
- Special category data
- ISO/IEC 2382-37:2022 establishes a systematic description and vocabulary for the field of biometric technologies.
How do biometric recognition systems work?
Biometric capture, feature extraction and template creation
Biometric recognition begins with biometric capture. Biometric capture is the process of recording information relating to someone’s physical, biological or behavioural characteristics. This can be either be done directly from a person, or from an existing representation of those characteristics, such as a photograph.
Biometric capture creates a biometric sample. Examples of biometric samples include:
- an image of someone’s face in a digital photograph;
- a recording of someone talking; or
- a video of them walking.
The key information extracted from a biometric sample is a biometric feature. A biometric feature is a digital summary of how a person’s characteristics make them unique. Biometric features often take the form of a string of numbers, and do not visually resemble the characteristics they describe. This is because they are intended to be readable by biometric algorithms, not by people.
Biometric algorithms are sets of rules that determine what automatically happens to biometric samples. For example, biometric algorithms determine how features are extracted from a sample.
When features are stored for reference, they become a biometric template. The process of creating a template for reference and associating it with a person is known as enrolment.
Both templates and samples can serve as biometric references, against which queries about someone’s identity can be checked.
Comparison
Biometric recognition systems work by comparing two sets of biometric features. The intended outcome of this comparison process is to establish how likely it is the two sets of features belong to the same person.
The first set of features is extracted from a biometric reference. The second set of features is extracted from a newly created sample. This new sample is known as a biometric query or biometric probe.
Depending on the specific use-case, a biometric recognition system may compare features from a probe against those from a single reference, or from many references in a database (or watchlist). See What can we use biometric recognition systems for? for more information.
Biometric probes and biometric references are never exactly the same, even when they belong to the same person. This means that there will always be some variation between the probe and reference. Biometric recognition systems can therefore never be certain about an individual’s identity.
Comparison is a statistically informed estimate of similarity (or dissimilarity) between a biometric probe and a reference. The comparison process produces an estimate based on the probability of whether the probe and the reference belong to the same person.
Decision-making and thresholds
A threshold is the point at which a biometric recognition system considers this similarity to be statistically significant.
A threshold may be set by default by a biometric recognition system, or you may be able to vary it to meet your specific purposes.
A comparison resulting in acceptance means that the similarity between the probe and reference has met the threshold. This suggests that a probe and a reference relate to the same person.
Similarly, rejection means that the similarity between the probe and reference has not reached the threshold, which suggests that a probe and a reference do not belong to the same person.
The lower the threshold, the higher the chance that an accepted comparison may not actually relate to the same person. See Risks resulting from biometric false acceptance or rejection for more information on false biometric acceptance.
However, you should always take care when interpreting the acceptance and rejection decisions made by a biometric recognition system. This is because these decisions are statistically informed estimates based on probability, and there is always some degree of error that cannot be removed entirely.
Also, there are many real-world factors that can increase the probability of a rejection, such as environmental conditions. Therefore, you should not interpret the outcome of a comparison as a matter of fact.
What happens because of a threshold being met or not should depend on your circumstances.
For example, it depends on:
- what impact the decision could have on the person;
- what your use case and context is;
- what safeguards you have in place; and
- whether the system is making solely automated decisions.
It is important to understand:
- how the process of comparison works;
- what threshold your system works to; and
- whether your circumstances requires further steps to confirm someone’s identity.
See What risks to rights and freedoms should we consider? for more information about how errors made by biometric recognition systems can result in harm.
See How do we process biometric data fairly? for more information on how to address the risks arising from the errors that biometric recognition systems can make.
Further reading
What can we use biometric recognition systems for?
Biometric recognition includes both biometric identification and biometric verification.
Identification refers to a one-to-many matching process (1:N, where N is the number of biometric references in a database). A biometric probe derived from one person is compared with many references in a database. It asks the question “Who is this person?,” or “Do we know this person?”.
For identification, the biometric reference of the person you are trying to identify must be in the database of biometric references that you are searching (ie they must have been enrolled).
While facial recognition technology is probably the best-known use of biometric recognition to identify someone, there are many other biometric approaches that are capable of identification.
Verification refers to a one-to-one matching process (1:1). A biometric probe compared against a single biometric reference (ie a biometric template, or a biometric sample such as a passport photo). It asks the question “Is this person who they claim to be?”. Passport eGates are an example of biometric verification.
The term “authentication” has historically been used about both identification and verification, sometimes interchangeably. Current industry standards move away from using this term and our guidance reflects this.
Example
An employer provides work devices to its employees. The devices include an on-device biometric recognition feature.
The employer offers its employees a free choice over whether to use this feature as an alternative to a password to access their work account.
This involves creating a biometric template that is stored on the device as a biometric reference.
Each time the employee wants to access the device, the biometric recognition system creates a biometric probe from a newly captured biometric sample (image of their face).
It then compares the biometric probe with the stored template. If the two match, the employee can then access their work account.
This means the employee’s biometric data is processed for the purpose of uniquely identifying them. Even if the comparison is unsuccessful and the employee has to enter a PIN or password instead.
Further reading
Both biometric identification and biometric verification are often used to control access to virtual or physical spaces. In these scenarios, biometric recognition systems replace a password (something you know) or a swipe card (something you have) with biometric data (something you are). Similarly, biometric verification is increasingly being used to control access to digital services, mobile devices and computers.
Biometric identification is also sometimes used to check whether someone signing up for a service has already registered under a different identity.
Both identification and verification require biometric data to uniquely identify someone.
Example
A rental company requires customers to prove that they have a valid driving licence prior to using their services. To make the check-in process quicker and more convenient for customers, the company offers customers a way to do it online before they check in.
If a customer decides to use this process, they are given the option to prove their details by uploading a scan of their driving licence and another photo of themselves. The company then uses a biometric recognition system to compare the two images and verify that they are of the same person.
This process involves processing special category biometric data to uniquely identify someone. In this case, it involves comparing biometric data generated from both photos to verify the identity of the customer.
The scalability of biometric recognition systems may be attractive in comparison to traditional access control systems that incur fixed costs (eg the need to issue new or replacement identity cards).
Biometric recognition systems may also be more secure than swipe cards or PINs from the perspective of controlling access. For example, people can’t forget or lose their biometric data but can share or misuse cards or PINs.
However, unlike access control technologies requiring PINs and passwords, biometric recognition systems are reliant on special category biometric data to function.
Do biometric recognition systems use personal information?
Yes. If you use a biometric recognition system, then you are processing personal information.
The purpose of any biometric recognition system is to recognise someone. This includes checking someone is the person they claim to be (verification) and checking whether they match anyone in a database (identification).
Both processes require information about an identified or identifiable person.
Because biometric samples contain information relating to identified or identifiable people, they are personal data under data protection law.
Do biometric recognition systems use biometric data?
Yes. If you use a biometric recognition system, you are also using biometric data.
This is because biometric recognition systems process personal information that meets all three parts of the definition of biometric data in data protection law, which are listed below.
The personal information relates to someone’s physical, physiological or behavioural characteristics
“Physical and physiological” means someone’s biological characteristics.
These characteristics can include a person’s facial features, friction ridges on their fingers (which are what create our fingerprints), iris, voice and even their ear shape.
Examples of physical or physiological biometric recognition techniques include:
- facial recognition;
- fingerprint recognition;
- iris recognition;
- voice recognition; and
- ear recognition.
Physical characteristics are used by biometric recognition systems because they can provide a lot of information that typically varies from person to person.
“Behavioural” is about biometric characteristics that relate to things like movements, gestures or motor skills. Behavioural characteristics can include a person’s handwriting, how they type, their gait when walking or running and their eye movements.
Examples of behavioural biometric recognition techniques include:
- keystroke recognition;
- handwritten signature recognition;
- gait recognition; and
- gaze-based recognition.
The personal information results from specific technical processing
The term "specific technical processing" describes a processing operation – or set of operations – that can be applied to a person’s physical, physiological or behavioural characteristics, which makes it possible to uniquely identify them.
This means there's a difference between things like "ordinary" digital images and how these may be used in the context of biometrics. For example, data protection law says that photographs:
“are covered by the definition of biometric data only when processed through a specific technical means allowing the unique authentication of a natural person.”
While someone's physical characteristics may be shown in a photo, this isn't enough to make that photo biometric data. It's only when something else happens to that photo – a discrete processing operation or set of operations that result in something that allows or confirms someone's unique identification – that the result becomes biometric data.
For example, if specific techniques are applied to the photo to extract someone's facial features, then the photo has been "processed through a specific technical means" that allows the person to be uniquely identified.
The information resulting from specific technical processing not only describes the end result of the processing (ie a biometric template or a biometric probe). It also covers any information produced by these specific technical processes, regardless of how long it exists for. If this information is capable of uniquely identifying someone, it is biometric data.
The term "specific technical processing" can also refer to the main stages involved in biometric recognition systems. For example:
- biometric feature extraction, where the information in the biometric sample is extracted and transformed by an algorithm into a biometric feature; and
- biometric template generation, where a biometric feature is stored as a biometric template.
The personal information allows or confirms someone’s unique identification.
This is about the properties of the information itself, not what you intend to use it for.
In data protection law, if you can distinguish someone from other people, then that person is "identified" or is "identifiable". This may be from the information itself, other information you may hold, or other information someone else may have.
However, the term “unique identification” is slightly different. Unique identification, as described in UK caselaw, refers to someone being singled out with accuracy, (ie where they are distinguished from others with a level of precision).
Unique identification for the purposes of biometric data does not consider other sources of information you may hold or might be available. It is about whether someone can be directly identified from that information, with accuracy. It therefore differs from the question of identifiability and personal information.
All biometric recognition systems process biometric data. This is the information that allows them to uniquely identify someone. Any attempt at unique identification doesn’t have to be successful to meet this definition.
Even if you do not intend to use biometric data to identify someone, the properties of biometric data mean that you can use it for this purpose. The wording “allow or confirm” means that you will meet this part of the definition if it is possible to identify someone, even if this is not your intention.
Example
An employer may be able to identify a staff member from an audio recording of a meeting, even if the staff member didn’t state their name. The recording therefore includes personal information about that staff member.
However, this doesn’t make the audio recording biometric data, as it doesn’t result from specific technical processing of the staff member’s characteristics (ie their voice).
The same organisation then buys a voice recognition solution to transcribe audio recordings and attribute what was said to particular people who attend the meetings.
This first involves enrolling all meeting attendees onto the system. To do this, a sample is captured – either directly from a person or from a voice recording. Biometric features are then extracted from the sample and stored as a biometric template. It then requires the voice recognition solution to capture new biometric samples, create biometric probes and compare these against the stored templates.
All of these stages involve biometric data. The information results from specific technical processing of someone’s characteristics and can be used to directly identify them with a degree of accuracy.
As the employer intends to process the biometric data for the purpose of uniquely identifying the meeting attendees, it is therefore also special category biometric data.
Further reading
- Bridges v South Wales Police (EWCA Civ 1058 – C1/2019/2670)
UK caselaw referring to the concept of unique identification.
Do biometric recognition systems use special category biometric data?
Yes. If you use a biometric recognition system, you are using special category biometric data. This is because the purpose of biometric recognition systems is to uniquely identify someone using biometric data.
The UK GDPR says that biometric data is special category data if it is processed:
“for the purpose of uniquely identifying a natural person.”
This is slightly different from the definition of biometric data. Instead, it is specifically about the purpose you intend to use that information for.
This makes special category biometric data different to the other special categories of information. For example, political opinions or racial origin are about the nature of the information alone, rather than any additional consideration of the purposes you are processing the information for.
This means that if your purpose is to uniquely identify someone, you are processing special category biometric data from the moment you collect the biometric data. It is not the case that you are only processing from the point that you attempt any comparison for identification or verification purposes.
However, it is also important to remember that you are still processing special category biometric data, even if:
- you do not find a match, as you are still creating and comparing biometric data for the purpose of unique identification; or
- you do not need to know who the person is to achieve your overall purpose (i.e., you do not attempt to link the comparison of biometric features to any other known information about that person’s identity like their name). This is because you are still singling someone out with accuracy (uniquely identifying them).
At any stage, if your use of biometric data requires you to uniquely identify someone, then you are processing special category information.
Example
An organisation has an area on their premises that it uses to store highly hazardous chemicals. Previous attempts to limit entrance to this area have failed because employees have shared their PINs with those not authorised to access the area. The organisation adopts a biometric recognition system instead to ensure that only approved staff can access the sensitive area.
It enrols all authorised staff onto the system. This involves taking a digital image of their thumb. This image is processed to extract biometric features, which are then stored as a biometric template.
Every time a member of staff places their thumb on the door sensor, a probe is created and compared with the biometric reference to confirm whether they are in the database of authorised personnel.
Even if the system does not find a match, the purpose of this processing is to uniquely identify someone from their biometric data.
To implement this biometric recognition system, the organisation needs a lawful basis and an Article 9 condition.
Further reading