Guidance for biometrics

  • March 26, 2024

The Privacy and Access Law Section of the Canadian Bar Association wrote to the Office of the Privacy Commissioner of Canada in response to public consultation on new draft guidance on biometric technologies. The goal is to provide information on privacy obligations, considerations and best practices for handling biometric information.

The first consideration is to ensure the use of biometrics is reserved for cases where it is appropriate and balanced. “The framework set out in the draft guidance, following Turner v Telus, is comprehensive, coherent and workable,” the letter says.

Given the expected evolution of this technology, it would be unwise to bake in categorical prohibitions, other than use of biometrics that result in a violation of other laws. “The OPC’s final guidance should include a clear statement that use of biometrics may involve other laws which are to be considered to decide whether the use of biometrics is appropriate.”

Some situations require the use of multi-modal biometrics, or systems that use two or more biometric identifiers. “Organizations should be urged to limit the number of biometric identifiers they collect,” the letter states, “but whether the use of a multi-modal system is an over-collection will depend on the context.”

Given the sensitivity of the data collected, safeguards are particularly important. The CBA Section recommends fraud detection approaches that do not directly identify an individual. “The approach to safeguards will change constantly as technology evolves and the recommendations should reflect that fact.”

Most organizations use third-party services for their biometric applications. “The guidance presumes that the organization has control over the build out of the technology, which generally it does not,” the letter states. Many of the third parties used are based in the United States or the European Union. With that in mind, the guidance should “refrain from adopting a prescriptive approach, granting organizations (and third-party service providers) the flexibility to assess their circumstances and determine the best measures to implement for each of their biometric initiatives.”

Every organization must have a robust accountability plan. The CBA Section recommends relying on basic principles listed in Schedule 1 of the Personal Information Protection and Electronic Documents Act. “A third-party can handle breach reporting but account for privacy of client information,” the Section notes. “This is integral to biometric protection of information and keeping client identity safe.”