Federal privacy commissioner issues biometrics guidance for public and private sectors

Philippe Dufresne, Canada’s privacy commissioner, has released new guidance containing consent requirements and other significant considerations for public and private organizations planning and implementing biometric technology initiatives. 

According to a news release from the Office of the Privacy Commissioner of Canada (OPC), the guidance tackles: 

• the necessity for an appropriate purpose to collect, use, and disclose biometric information 
• the need for careful assessment of the proportionality of possible privacy impacts and other risks involved  
• considerations regarding transparency, data protection, accuracy, and biometric system testing 

The OPC shared that it conducted a public consultation with stakeholders on draft versions of the guidance between November 2023 and February 2024. The OPC noted that the consultation’s participants included representatives from academia, civil society, business, legal associations, public institutions, and members of the public.

The OPC said it accepted 34 written submissions and discussed the stakeholders’ insights with 31 organizations. After completing its consultation, the OPC amended the draft guidance documents to reflect the stakeholders’ feedback. 

Specifically, the OPC: 

• clarified the definitions and uses of essential terms, including the definition of sensitive information 
• more closely aligned the guidance and legal requirements 
• added nuance and specificity to discussions of technical explanations, requirements, and best practices 
• edited the guidance on consent 
• adjusted the criteria for assessing the appropriate purposes applicable to the private sector 
• reorganized the guidance on impact and risk assessments for the public sector 
• emphasized lawful authority, relevant to the public sector 

Context of guidance

According to the OPC, organizations seek to offer efficient access to goods and services while keeping up with the shifting security considerations amid the current digital environment. To this end, organizations have increasingly used biometric technologies to verify identity, improve security, and aid in providing and delivering services. 

The OPC listed requiring fingerprint scanning to access buildings or facial recognition technology to unlock phones as examples of how organizations have utilized biometrics. 

However, the OPC stressed that biometric technologies can engage privacy concerns. In its news release, the OPC noted that biometric information is: 

• often unique 
• intimately connected to a person’s body 
• unlikely to shift much as time passes 
• capable of revealing information regarding health, race, and gender characteristics, among other sensitive data 

“Organizations need to approach the use of biometric information in a privacy-protective way, building privacy considerations at the beginning of any new program or initiative,” Dufresne said in the news release. “Prioritizing privacy in this way supports innovation and helps create conditions for a more secure and enriching digital society.”