3. Technology, Media & Telecommunications
  5. Singapore: PDPC publishes guide on responsible use of biometric data in security applications

Singapore: PDPC publishes guide on responsible use of biometric data in security applications

30 Jun 2022    6 minute read
IPTech DT Featured Content

In brief

In May 2022, the Singapore Personal Data Protection Commission (PDPC) published a guide to help organisations collect, use or disclose individuals' biometric data in a responsible manner ("Guide"). With security applications like security cameras and Closed-Circuit Television Cameras (CCTVs) becoming increasingly commonplace, there have been more cases of organisations mishandling individuals' biometric data. The release of this Guide serves as a timely reminder for organisations to review their existing measures or implement new measures to ensure that they are dealing with individuals' biometric data in a responsible manner.

Contents

In more detail

While this Guide is not legally binding on individuals and organisations, it reflects the PDPC's stance with regard to the handling of biometric data in a security setting. Organisations should look into and consider the best practices that are provided in the Guide to ensure that they are in compliance with their legal obligations under the PDPA and are not exposed to legal risks and liabilities.

Target Audience

The Guide is targeted at security applications that use personal data, as well as organisations that use such security applications. The Guide does not apply to individuals who use security or biometric systems for private purposes. The Guide is only intended for organisations' use of biometric data in security applications, and does not extend to other commercial purposes.

Key Terminology and Processes

  • Biometric data: Biometric samples or biometric templates created through technical processing of biometric samples.
  • Biometric samples: Data relating to the physiological, biological or behavioural characteristics of an individual, including facial images, fingerprints and voice recordings.
  • Biometric templates: Binary representations derived from the application of an algorithm to biometric samples, and are considered anonymised data on their own.

When processing a biometric sample, the algorithm in the biometric system will extract a digital representation of its features or characteristics and transform it into a biometric template. The template will then be used against the presented biometric samples in the process of verifying or identifying individuals.

Best Practices to Collect, Use and Disclose Biometric Data

The immutable nature of biometric data presents risks that organisations need to be aware of when procuring biometric recognition systems for security applications. The table below summarises the different risks associated with biometric recognition technology and the measures that organisations may consider implementing to mitigate the risks.

 

Risks

Description

Measures

Identify spoofing

Using a synthetic object with the physical characteristics of an individual to obtain a positive match in the system
  • Implement anti-spoofing measures (e.g. liveliness detection) within the system
  • Install biometric systems with facial recognition function near a manned security post / security officers
  • Encrypt data-at-rest and data-in-transit to prevent possible tampering with biometric data

Error in identification

False negatives: Occurs when the threshold for matching is set too high and the system fails to identify enrolled individuals

False positives: Occurs when the threshold for matching is set too low and the system wrongly identifies a person as an enrolled individual
  • Consider the impact of false positives and false negatives, and the relevant industry practice and implement a reasonable matching threshold 
  • Include additional factors of authentication (e.g. access cards) to complement the existing matching thresholds

Systemic risks to biometric templates

The uniqueness of a biometric template may be diluted if the algorithm used to create the template is used multiple times by the service provider across different sets of customers
  • Encrypt biometric templates in databases
  • Introduce a salt when encrypting biometric templates
  • Consider using customised algorithms to preserve the uniqueness of biometric templates

 

Apart from being familiar with the risks present in the deployment of biometric recognition technology, it is equally important for organisations to protect biometric data at all stages of their life cycle. Organisations can consider adopting the following best practices:

Life Cycle

Measures

Collection
  • Notify individuals regarding placements of security cameras
  • Obtain the consent of individuals before collecting biometric data

Processing / Usage
  • Limit access to recordings of security cameras
  • Process biometric samples collected to extract biometric templates immediately, and only use biometric templates in the process of recognition
  • Ensure decrypted biometric templates that are still in the system do not carry out matching processes

Storage
  • Limit access to the storage databases of security cameras
  • For biometric recognition systems, discard biometric samples once biometric templates have been extracted
  • Isolate biometric templates from other identifying information of individuals in order to prevent the linking of the two
  • Implement safeguards to protect the databases holding the biometric data (e.g. encrypting biometric data, introducing salt to the encryption process etc.)

Disposal
  • Permanently delete biometric data (and any copies made) from the system

 

Obligations under the PDPA

The Guide discusses some of the purposes that organisations may collect, use or disclose personal data for, which include controlling access to services / premises, maintaining a safe working environment, security monitoring of premises and investigations, and enhancing security operational efficiency for premises.

Organisations may rely on the following exceptions to consent in the PDPA when collecting, using or disclosing the biometric data of individuals:

  • "Publicly available data" exception: Organisations can rely on this exception when collecting biometric samples in public locations or where individuals may be observed by reasonably expected means. It allows organisations to collect, use or disclose the biometric data collected for security purposes.
  • "Legitimate interests" exception: Organisations may collect, use or disclose personal data without first obtaining the consent of an individual if, after conducting a legitimate interests assessment, determines that the legitimate interests of the organisation / other individuals in the security use cases outweigh any likely adverse effect on the individual.
  • "Business improvement" exception: Organisations may rely on this to use the biometric data without consent to improve their crowd management and security operations as part of their business or service offerings.

The other obligations under the PDPA, such as the access and correction obligation, protection obligation, data breach notification obligation and retention limitation obligation similarly apply to biometric data. For access obligation, while obligations may request access to their biometric data, organisations need not disclose biometric templates to individuals. The Guide explains that biometric templates, unlike the samples collected, will not serve any purpose outside the organisation's biometric recognition system. Further, the PDPC made clear that biometric templates are considered confidential commercial information, and the organisation's security system may be jeopardized if such information falls into the wrong hands. Organisations are also encouraged to establish a Data Protection Management Programme detailing the organisation's policies and practices related to the handling of biometric data.

In deciding the type of biometric system to be implemented, an organisation shall consider (i) the purpose, requirements and alternatives to the installation of such systems, (ii) the possibility of minimising the collection of personal data when using biometric systems in fulfilling its business objective, (iii) an individual's privacy intrusion perception, (iv) context and frequency of using biometric systems, and (v) the potential risks and level of protection conferred by each biometric system.

The complete Guide on Responsible Use of Biometric Data in Security Applications can be accessed here.

Related articles

Singapore: The High Court issues injunction to block potential sale and transfer of NFT

Singapore: Launches World's first AI Governance Testing Framework and Toolkit

Singapore: Government proposes Codes of Practice to regulate harmful online content on social media

 

LOGO_Wong&Leow_Singapore

© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information
Andy Leck
Principal
Singapore
Read my Bio
andy.leck@bakermckenzie.com
Ken Chia
Principal
Singapore
Read my Bio
ken.chia@bakermckenzie.com
Ren Jun Lim
Principal
Singapore
Read my Bio
ren.jun.lim@bakermckenzie.com
Abe Sun
Principal
Singapore
Read my Bio
vasan.abe.sun@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.

HighQ
Copyright Baker McKenzie 2024 | Disclaimers | Supplemental Privacy Statement