top of page
  • awcollison8

Do Your Information Governance Policies Address Biometric Data?

Fingerprint acess into a locked area.

As technology advances, the collection and storage of biometric data has become prevalent across various industries. Biometric data, which utilizes unique physical and behavioral attributes for identification, offers organizations many benefits. The definition of biometrics data may vary by jurisdiction. Given this reality, privacy and data management practices need careful consideration.

Text examples of biometric data.

Many information governance professionals believe their companies are not using biometric-related technology; therefore, most don't have governance rules over the data. At Kahn Consulting, when we engage with a client, we use a process called "business profiling" to understand the company's business activities, technology, and data. Often when we start exploring biometrics, the information governance professionals and lawyers immediately say that we can skip that line of investigation because the company doesn't use any biometric-related technology or data. However, when we start exploring potential uses (see below), they immediately lose their confidence in their initial response and appreciate why they need to do more homework to determine what the company may be doing with biometric data.

Here are a few examples where biometric data is being used. Hopefully, the examples will trigger you to consider where your company might use biometric data and determine if your information governance policies, processes, and practice address the data.

Biometric Banking: Banks use biometric authentication techniques like fingerprint or iris scans to improve account security and prevent fraudulent activity during transactions. Fargo and Barclays are among the banks that have adopted biometric banking features.

Text Fortune Business Insights predcitions of facial recognition technology.

Workforce Management: Companies use biometric time and attendance systems, such as fingerprint or palm scans, to accurately track employees' working hours and streamline HR processes. ADP's Time and Attendance solutions are one example of this technology.

Payment Systems: Companies are using biometrics such as handprints to tie payment systems to a specific credit or debit card. Amazon is an example of a company using this technology in its brick-and-mortar stores.

Facilities Management: Many companies have biometric-related entry systems into a building or specific high-risk areas of facilities such as data centers, research centers, etc. Facebook, Google, Apple, and Tesla are companies that have been using this for years.

Timekeeping Systems: Organizations with hourly employees often use timekeeping

systems requiring biometric identification to avoid fraudulent time-tracking activities. Walmart, Home Depot, FedEx, Ford, UPS, and Target are examples of companies using this technology.

Biometrics in Healthcare: Hospitals and healthcare facilities use biometric identification to access medical records securely and prevent fraud. Companies like Imprivata, Cerner, and Epic provide biometric solutions for healthcare authentication.

Biometrics at Airports: Airports employ biometric screening to expedite security checks and boarding processes. For instance, Heathrow Airport in London uses facial recognition technology for faster security clearance.

Smartphone Security: Companies incorporate fingerprint, face, or iris recognition to unlock phones or apps, making it more convenient for users to access their devices securely. Examples include Apple's Face ID and Samsung's Ultrasonic Fingerprint Scanner.

End User Identification: Behavioral biometrics track various user behaviors, such as typing speed, keystroke dynamics, mouse movements, touchscreen interactions, and even the angle at which a user holds their smartphone. The system can create a unique profile for each user by continuously monitoring and learning these behaviors over time. The Royal Bank of Scotland is an example of a financial institution using such technology to protect its customers.

Entry to Event: Event management companies, professional teams' stadiums, concert halls, etc., are using facial authentication for faster entry into events. The Cleveland Browns are now using facial recognition to enter their stadium.

Biometrics in Sports: Performance, fitness, and recovery of athletes are tracked and monitored using biometric data in sports analytics. This information helps coaches and athletes optimize training routines and improve overall performance. Many NFL, NBA, and MLB teams use this technology to improve performance and monitor the health of their players.

Biometrics for Health Diagnosis: Biometric data is used to aid in medical diagnoses and treatment plans. For instance, retinal scans can help detect early signs of certain diseases, and voice analysis may help diagnose certain medical conditions. The Mayo Clinic is one of the healthcare organizations that is advancing the use of this technology.

Border Security: Biometric passports or visas verify travelers' identities, enhancing security, and streamlining the immigration process. Many countries, like the US Customs and Border Protection's Biometric Exit program, have implemented biometric border control systems.

National ID Systems: Countries have introduced biometric cards or databases to give citizens unique identities, improving government services and welfare distribution. For instance, India's Aadhaar program uses biometric data to identify and access various services.

You get the point - Biometric data is everywhere. Governance professionals should err on the side of assuming that it is in use in their company somewhere, somehow, and they should do their homework to determine the facts. High-risk data must be identified and managed according to laws, regulations, and business needs.

Data Management Challenges

Security Breaches: Biometric data is valuable, which causes hackers and other cybercriminals to want to attack it. Businesses must have strong security measures to prevent unwanted access and data breaches.

Data Storage and Retention: Securely storing biometric data is essential, and companies should only retain such data for as long as necessary. Prolonged retention may increase the risk of exposure and potential misuse.

Consent and Transparency: Obtaining informed consent in accordance with the law from individuals before collecting and using their biometric data is critical. Transparency about the data collection and storage practices helps build trust with users.

Legal Compliance: Biometric data collection is subject to various protection laws and regulations. Violating these standards may result in serious legal repercussions and harm a company's reputation.

Ethical Concerns: Companies must grapple with ethical considerations when using biometric data. They should balance the benefits of using this technology and the potential risks to individual privacy and human rights.

Mitigating Risks and Ensuring Responsible Biometric Data Management

Encryption and Access Controls: Employ strong encryption methods and access controls to protect biometric data from unauthorized access.

Anonymization and De-identification: Store biometric data anonymized or de-identified to reduce the risk of associating it with specific individuals.

Regular Security Audits: Conduct frequent security audits and vulnerability assessments to identify and address potential data storage and protection weaknesses.

Secure Data Sharing: Establish stringent data-sharing agreements with third-party providers and ensure they adhere to the same data protection standards.

Data Minimization: Limit biometric data collection to the minimum required for the intended purpose and avoid excessive data retention.

While using biometric data offers numerous benefits, it also presents significant privacy and data management challenges. Companies must prioritize the security and protection of biometric information, considering the irreversible nature of this data. Organizations can mitigate risks and ensure responsible biometric data management by implementing robust security measures, obtaining informed consent, and adhering to legal and ethical guidelines. Safeguarding user privacy should remain at the forefront as technology continues to shape our interactions with the digital world.


bottom of page