Increased Use Brings Increased Regulation
As with any personal data usage, the increased application of biometrics globally has led to growing concerns about who is using biometrics, for what purpose, for how long, and how well the data is safeguarded. Luckily, the benefits of biometrics far surpass the challenges of adhering to regulations.
In the United States, there is no single law governing the collection and use of biometrics. Currently only three states have passed laws defining proper biometric usage protocols, along with penalties for non-compliance. The most impactful of the state laws defining the use, collection, possession, and storage of biometric information is the Biometric Information Privacy Act (BIPA), passed in 2008 by the Illinois General Assembly. In an effort to protect consumers, BIPA provides statutory damages for violations ($1,000 per negligent violation; $5,000 per reckless or intentional violation).
Straightforward Ways to Comply with BIPA Requirements
Fortunately, addressing BIPA compliance requirements is well within the reach of most companies.
There are some common-sense steps that businesses must take as part of their biometric deployments for employees. The first step is to create a cohesive, documented plan and proper communications.
Before collecting someone’s biometric information, your organization should:
- Provide a detailed written policy that is publicly available and that includes the specific purpose for which the data is being collected, how it will be collected, how it will be used, if and how it will be disclosed, and the duration of time it will be used, retained and stored
- Inform users, in writing, how and when their biometric information will be destroyed
- Document and implement proper security protocols to protect the data
- Secure users’ explicit consent for collecting that information
Resources to Further Simplify Biometrics Compliance
Companies using or considering the use of biometrics are encouraged to engage their human resource department to define a biometrics privacy program that meets legislative compliance requirements. Fortunately, there are a growing number of resources that can provide valuable guidance. Here are a few:
International Biometrics + Identity Association (IBIA)
The International Biometrics + Identity Association’s white paper provides an in-depth treatment of the components of a comprehensive biometric security and privacy program. Additional information can be found in their resource library.
The SANS Institute
The SANS Institute, a cooperative research and education organization, published a research paper that provides an in-depth analysis of the use of biometrics in commercial applications, a detailed interpretation of state legislation (including BIPA), and a comprehensive Biometrics Compliance Framework.
The Biometrics Institute
Members of the Biometrics Institute can access their updated Universal Privacy Guidelines for Biometrics, containing best-practice guidelines that include factors introduced by General Data Protection Regulation (GDPR) as it applies to biometrics.
Simple, Safe and Here to Stay
Biometrics are powering trusted identities in surprising ways all around the world. While regulations and compliance protocols are necessarily increasing with their growing use, they remain the simplest, most convenient and most secure way of proving identity. Discover how biometrics are changing health care in our white paper, Biometrics in Healthcare: A Biometric Research Group Report.