The increasing use of biometric technology raises questions about the technology's impact on privacy in the public sector, in the workplace, and at home. Recently we all heard about plans from the Post Office to 'make millions by selling your personal information to private companies'. Will the same take place when businesses start to use biometric technology? In order to raise awareness of issues related to personal and informational privacy in the biometric industry it is important to understand what biometrics are and in what way it will affect you.
What is biometrics?
Biometrics means the study of measurable biological characteristics. In computer security, biometrics refers to authentication techniques that rely on measurable physical characteristics that can be automatically checked. There are several types of biometric identification schemes, eg, face, fingerprint, hand geometry, retina: the analysis of the capillary vessels located at the back of the eye, iris: the analysis of the coloured ring that surrounds the eye's pupil, signature: the analysis of the way a person signs his name, vein: the analysis of pattern of veins in the back of the hand and the wrist, voice, DNA pattern analysis and even sweat pore analysis.
Biometric data is personal information
Unfortunately South Africa has not reached the stage of being a country with specific data and privacy protection legislation. We very much have to rely on a few sources to determine our right to privacy as an individual, eg, South African Constitution, Section 14 and common law. The latest Electronic Communications and Transactions Act 25 of 2002 does refer to 'personal information' and how to deal with it, in chapter VIII, section 50 and 51. Biometrics can be seen as part of the ECT Act's definition of 'personal information'. Unfortunately (again!!) the legislation's bark is louder than the bite, for the person who electronically collects, collates, processes or stores personal information (data controller) from or in respect of a natural person (data subject) from whom personal information has been requested, may voluntarily subscribe to the principles outlined in section 51, which stipulate that, for example, the data controller must obtain written permission from you as a consumer to collect, collate, process or disclose your personal information and may not use it without the necessary consent etc. At the end of the day, the biometric service provider has no obligation to comply to section 51.
What to look out for when asked to use biometric technology?
1. What information is captured? It should not be expanded to perform broader verification or identification-related functions than originally intended.
2. Purpose and duration? Biometric information should only be stored for the specific purpose of usage in a biometric system, and should not be stored any longer than necessary. Biometric information should be destroyed, deleted, or otherwise rendered useless when the system is no longer operational; specific user information should be destroyed, deleted, or otherwise rendered useless when the user is no longer expected to interact with the system.
3. Protection at all stages: Is the information protected during storage, transmission, and matching.
4. Only authorised access: Access should be limited to certain personnel under certain circumstances, based on the companies Record Retention Policy. The latter and the Communications Policy need to be inline with the latest promulgated Regulation of Interception of Communications Act 70 of 2002 - "No communications can be intercepted, except..."
5. Segregation of biometric information: Biometric data should be stored separately from personal information such as name, address, and medical or financial data.
6. Ability to 'unenroll': You should, where possible, have the right to control usage of your biometric information, and the ability to have it deleted, destroyed, or otherwise rendered unusable upon request.
7. Correction of and access to biometric-related information: System operators should provide a method for yourself to correct, update, and view information stored in conjunction or association with biometric information.
Although this field is still in its infancy here in South Africa, many people believe that biometrics will play a critical role in the future, and especially in electronic commerce. Biometric data is personal information, there are various situations in which its collection, storage, and usage by individuals, employers or government agencies is beneficial, but before using biometric technology, ensure that the service provider understands the risks involved and whether the service provider manages your information in a secure way.
Gerrit van Gaalen, an attorney from Buys Inc, will discuss this topic in more detail during the Biometrics 2004 Conference: 6-7 September 2004, Inter-Continental Sandton Sun & Towers, Sandton, Johannesburg
For more information contact Gerrit van Gaalen, Buys Incorporated Attorneys, 011 215 2270, email@example.com