RISHI MAHARAJ, executive director of EquiGov Institute
Recently I opened a new account at a local banking institution. As part of the process, I filled out the required forms which included due diligence for anti-money laundering obligations. I did up the forms online and emailed it into the bank and went in on the prescribed day and time for my appointment to formalise and open the account.
All the steps to open the account were pretty standard: I walked with my identification cards for validation of identity, utility bills for validation of address and statements for validation of funds. Also, I was asked to do my signature three times to assist with signature verification re transactions and cheques etc.
Like I said all the steps were standard. However, the one thing that stood out to me was that I was asked to look into a camera attached to the officer’s computer so that a photo can be taken of me. In my previous visit to that same bank about two years ago to open an account I cannot recall being asked to look into a camera for a picture to be taken.
Such has the world changed in the last three years, that now many businesses are now moving towards adopting identity access management practices as part of their client onboarding or employee identity process. As a data protection practitioner, this process of course had me thinking about the data protection implications of adopting such technologies from a business perspective and the risk involved not only from the business side but also the customer/employee perspective.
I should add here that Trinidad and Tobago does have a data protection act that was passed in 2011. However, the act was never fully implemented and at present the government is in the process of amending the act based on global developments over the last ten years, most notably the the EU's General Data Protection regulation of 2018. So, as it stands now (subject to correction) there are no laws to regulate the use of these technologies in TT.
In essence biometric data is personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of individuals. Biometric data allows for or confirms the unique identification of an individual. Today’s most common examples of processing activities involving biometric data are facial or iris scans, voice recognition applications and fingerprint access systems. Under most data protection laws including our present one, this type of data is characterised as sensitive personal data an as such caries more obligations by businesses wanting to use them.
More and more companies are considering implementing systems that process biometric data for authorisation or security purposes (eg access control, monitoring of worked hours, building security). Depending on the context in which it is used, the use of biometric data may increase user comfort, efficiency of operations and security (as opposed to building access tags, biometric data cannot be lost). However, the use of such systems is considered very privacy intrusive and many data protection laws now only provides limited room to apply such operations in practice. This is a challenge in most standard use cases.
Because of the sensitive nature of operations involving the processing of individuals’ biometric data, the many regulators actively punishes such unlawful activities. Recently the Dutch regulator imposed one of its highest fines on an organisation that unlawfully used biometric data of its employees for attendance and time registration.
One of the major issues relating to the collection and use of biometric data is of course privacy. Unlike passwords and verification codes, biometrics are fundamental parts of users’ identities. Whether inherited or learned, these markers are core aspects of a person and can’t be changed. Hacked passwords are easy to reset, but what can consumers and employees do if a hacker steals what’s essentially part of their biology?
Then there are issues such as inaccuracy and fraud to consider. Most user passwords are encrypted and hashed which is often difficult or impossible for hackers to decode. By contrast, scanners used to capture and read biometric data aren’t accurate 100 per cent of the time. Even slight variations in how a user touches a fingerprint scanner or looks at a camera during a facial scan will create different images. The resulting discrepancies can cause authentication to fail and lock legitimate users out of the system.
Once identifiers are collected, the data has to be stored somewhere. Because no form of storage can be considered completely safe, this creates the same problem as any other access management strategy in which businesses are responsible for securing users’ identities. Encrypting data during transfer only addresses part of the problem, since hackers can still access biometric information as it’s collected and when it’s being matched to previously captured data. Businesses can improve security by adopting runtime encryption, which keeps sensitive data encrypted during use, or choosing not to store biometrics at all.
Businesses faced with the challenges of implementing biometric authentication need expert help to prevent the personal identifiers of their customers and employees from becoming compromised. With so much at risk, both an accurate understanding of potential vulnerabilities and a solid identity theft prevention plan are essential to preserve the privacy and integrity of personal data.
The Equigov Institute provides consultancy, training and research in data privacy/protection, governance, information access, transparency, and monitoring and evaluation.