CONDUCTING A BIOMETRICS PRIVACY IMPACT ASSESSMENT … · 2019. 11. 8. · •Will the personal data or biometrics be collected from citizens of another country? (which may bring you

© Biometrics Institute 2019 www.biometricsinstitute.org 1

CONDUCTING A BIOMETRICS PRIVACY

IMPACT ASSESSMENT (PIA)

LONDON 31 OCTOBER 2019

Hon TERRY AULICH

Chair Biometrics Institute Privacy Experts Group

1


INTRODUCTION: WHO SHOULD BE INVOLVED?

WHY A PIA?a) Your most senior executives and your specialists such as privacy

officers, IT and security officers and legal advisers should be involved.

b) The PIA is a guide to help you assess your privacy environment in terms of risks and threats and a whole-of-enterprise commitment to privacy.

c) The PIA provides a benchmark against which future operations and audits can be conducted.

d) The PIA should be conducted every time a new biometric business model is being planned. 2


SETTING UP A PIA

a) Ensure that the business model for the introduction of a biometric system includes a PIA; briefly examine similar organisations that have damaged consumer trust and their reputation through privacy failures.

b) Ensure that the PIA and the proposed biometrics based business model is signed off by the most senior executives and becomes part of a regular reporting process to them.

c) Ensure that the PIA results are seen by senior executives and are capable of being a benchmark that can be referred to as required and be a base resource for future privacy audits.

d) Use an independent expert to oversee a PIA but recognize that you can cut costs and time by doing most of the preliminaries 3


CONDUCTING THE PIA

The PIA should follow this basic format, modified where necessary by legal and specific enterprise requirements.

Section 1: SCOPE

Section 2: DESCRIPTION of the SYSTEM

Section 3: RELEVANT PRIVACY DATA REGULATIONS,DIRECTIVES, LAW

Section 4: INFORMATION FLOW MAPPING

Section 5: ASSESSMENT AGAINST BIOMETRICS INSTITUTE PRIVACY GUIDELINES

Section 6: RECOMMENDATIONS

Section 7: DEFINITIONS

4


WORKING THROUGH THE MODEL PIA. DOES IT

NEED ADJUSTMENT FOR YOUR ENVIRONMENT?

Bank

Border Control

Telecom

University

Hotel chain

Biometrics vendor

Census5


SECTION 1: SCOPE

a) Set out the precise scope and purpose of the project that the PIA is intended to evaluate. For example, is the biometric intended to be used to enable commercial operations such as retail telecommunications or is it being used to admit people to a government service?

b) Clarify the boundaries, where applicable, between the biometrics system under evaluation and your other information systems.

6


SECTION 2: DESCRIPTION OF THE SYSTEM

a) Describe the proposed systems features, functions and benefits

b) Identify the target market and users; for example, retail clients of a bank

c) Assumptions should be described, for example, the system might enable end user customers to access their bank accounts only, or it may identify a person for border purposes only but not apply to any in-country purpose such as access to social security or it may function as an identification system for both border entry and social welfare payments

d) Specialized technical biometric related information. A PIA should explore special technical or specific biometric information of relevance to the system such as encryption, tokenization, de-identification, special hardware and so on. You should document the technologies to be used and describe how they contribute to functionality, efficacy and privacy protection. What are the possible risks of using that technology? Any special features of the sensor technology should be described here. Describe in simple terms which biometrics are to be used and why they have been chosen. 7


SECTION 3: RELEVANT PRIVACY AND DATA

REGULATIONS, DIRECTIVES AND LAWSa) Document any relevant laws, regulations or directives that relate to

the collection, selection, use and handling of personal data and the associated biometric systems. See also the Biometrics Institute’s Privacy Guidelines which provide extra guidance across all jurisdictions.

b) Include in your documentation any possible privacy laws that have international effect such as those based on geographical clusters like the European Union; this is based on the assumption that information technology (IT) can service or be serviced by international connections in areas such as immigration, travel, banking, telecommunications, trade and commerce. 8


SECTION 3: RELEVANT PRIVACY AND DATA

REGULATIONS, DIRECTIVES AND LAWS (Continued)

c) Key questions that need to be answered:

• Who is the relevant privacy or data regulator in your country and are there additional guidelines and rules that must be followed?

• What is the definition of consent in your jurisdiction?

• Will the personal data or biometrics be collected from citizens of another country? (which may bring you under the purview of the European Union’s General Data Protection Regulation or other privacy legislation that extends beyond the border)

• Will that data or biometrics be sent outside your country for processing or storage?

• Are there special sub-sectors of your organization that have special rules that govern personal data; for example, personal health records legislation?

• Will the personal data or biometrics be collected from minors or employees? What are the legal requirements about that in your jurisdiction: for example, consent, collection, use and retention of personal data taken from minors or vulnerable people? 9


SECTION 4: INFORMATION FLOW MAPPING

a) Document and map the all personal information flows in order to understand the privacy impact of the proposed new system.

b) The resulting diagram, notes and or tables should show all significant points where personal information is collected, aggregated or created; how information passes from one major sub-system to another; where it is used and disclosed (and to what third parties it is disclosed, for what purposes and with what restrictions and audit arrangements), where it is archived or destroyed; and where important metadata such as logs are created and protected. 10


SECTION 5: ASSESSMENT AGAINST THE

BIOMETRIC INSTITUTE’S PRIVACY GUIDELINE

PRINCIPLESYou should document how you propose to meet the Biometric Institute’s Privacy Guideline Principles

You should also take into account the Institute’s Implementation Guide annexed to those Privacy Guidelines.

In particular, you should especially be able to explain how your PIA proposal covers the following areas that exist in almost all privacy protection regimes around the world:

• Transparency (ie a clear indication of how your system will protect personal privacy)

• Individual participation

• Purpose specification

• Data minimization (collect only what is really required)

• Use limitation

• Data quality and integrity

• Security

• Accountability and auditing 11



BIOMETRIC INSTITUTE’S PRIVACY GUIDELINES

PRINCIPLES

PLEASE DOCUMENT YOUR RESPONSE TO THE FOLLOWING SIXTEEN PRIVACY PRINCIPLES CONTAINED IN THE BIOMETRICS INSTITUTE’S PRIVACY GUIDELINES.

Please note that there may be some Principles where, for reasons related to law enforcement, security or highly confidential psychiatric assessments, you may need to diverge from one or more of the Principles. If so, please document those reasons for divergence so that they are available for future Privacy Audits.

12




PRINCIPLESPrinciple One: Respect for Individual/Data Subject Privacy

Note: All other principles are guided by the fact that, the individual data subject has provided you with a unique and valuable physical attribute of themselves and are entitled to know that you respect that in everything your organization does.

As part of that respect you should be able to show how privacy has been designed into all biometric projects at the earliest possible stage. For example, will senior executives sign off on this PIA and will privacy be a regular item on the agenda of your senior executive meetings?

In order to build respect for privacy in your organization and understand the damage to reputation and trust, you should examine past major privacy failures in your organizations or in organisations similar to yours. What have you learned from that? 13




PRINCIPLESPrinciple Two: Proportionality

When you built your business case for introducing a biometrics system did you consider whether or not that choice could constitute a privacy risk and was that risk proportional to the business benefits of using a biometrics based system?

Have you considered other non-biometrics systems that may be just as effective but carry less risk to privacy? (For example, can school canteens or night clubs using biometrics justify the privacy risks?)

Why did you choose a biometric system and what were the other options, if any? 14




PRINCIPLESPrinciple Three: Informed Consent

This is a critical issue for the design and performance of any biometrics based system. Informed consent means the individual data subject has a clear understanding about what you will do with his or her personal data. The following questions will assist that process.

a) Why and when is the biometric collected?

b) Who is collecting it?

c) Who else will have access to it?

d) How will it be protected, stored, transmitted and accessed? 15




PRINCIPLESPrinciple Three: Informed Consent (Continued)

e) What are the time limits on its use and storage?

f) How can an individual data subject know if modifications are made to his or her file (including the biometric) and is any part is sold on?

g) How can inaccurate/bad quality information and biometrics be updated or corrected?

h) What are the access rules for other authorities such as law enforcement agencies and private organisations working alone or in partnership with public authorities?

i) What are the rules that protect minors where parents or legal guardians are not readily available to make an informed decision? 16




PRINCIPLES

Principle Three: Informed Consent (Continued)

j) What rules require how individual data subjects will be informed about key issues such as privacy breaches, the remediation of those privacy breaches and the liabilities that system owners have?

k) How can individual data subjects opt out or have their biometrics deleted?

17




PRINCIPLESPrinciple Four: Truth and Accuracy in Business Operations

This is important for the biometrics industry, system managers, system purchasers and any others who need to ensure that there are no misleading statements about products, service and efficacy of the installed biometric system

a) Have vendors and managers provided accurate and honest information about the biometric system, especially its efficacy, reliability and its effects on privacy protection and potential linkages that may enable the unauthorized identification of an individual data subject?

b) How has this been assessed during the tendering process and the relevant documentation?

c) Have vendors, managers and operators provided accurate and honest information about their capacity to update or remediate their systems to counter new risks and threats? What is the process for updating their systems? How often do you propose to check the updates? 18




PRINCIPLESPrinciple Five: Protection of Biometric Data Collected

Is there a nominated data controller or equivalent who is accountable for protecting biometric data collected? Has that person made provision for the following?

a) The Privacy Impact Assessment and subsequent Privacy Audits and their frequency

b) Clear privacy policy procedures and policies plus technical controls over unauthorized access, accidental loss or misuse of personal data. Please describe how this has been done.

c) The possibility or the feasibility or desirability of separating the biometric template/samples from the individual data subject’s other identifying information.

d) Documented procedures for reporting and dealing with privacy breaches plus remediation policies and the procedures for compensation in the event of such a breach. Will that be made available to all staff and to individual data subjects? 19




PRINCIPLESPrinciple Five: Protection of Collected Biometrics Data (Continued)

e) Do the vendors who license biometrics technologies to other organisations provide a plan for implementing the above procedures? Have they nominated a decision maker who will make a documented judgement call in the event of an emergency?

f) What adjudication procedures are in place to settle disputes over data breaches?

g) Who is legally responsible for the effective running of the system?

h) How do you propose to train your staff and any sub-contracted staff to understand their privacy obligations and the procedures that maintain a strong privacy culture? 20




PRINCIPLESPrinciple Six: Complaints and Enquiries

a) Do your managers of biometric systems have in place both a complaints and enquiry system?

b) Is that system transparent and easy to understand for the individual data subject and is it easy to get redress?

c) Is that system based on a sympathetic view that there is a possibility that there can be procedural and technical faults with the system? What is the wording you use in this regard, especially for the benefit of both staff and the individual data subjects?

d) How do you propose to deal with identity theft or when the individual data subject has his or her information lost, compromised or inaccurately recorded? Do your managers have in place convenient, swift but robust procedures to repair or re-instate that damaged personal data?

e) What is the process for possible compensation and is this made known to individual data subjects? 21




PRINCIPLESPrinciple Seven: Purpose

Can your managers clearly identify the purpose of the collection or use of biometric data and do they have in place procedures and policies to ensure that the collected personal data(including the biometric) is not used for purposes other than the stated purposes? Outline those policies and procedures; especially identify what documentation will be shown to individual data subjects who have provided their biometric and related personal data.

22




PRINCIPLESPrinciple Eight: Non Discrimination

a) Can you ensure that no person will be denied service or access due to their inability to provide a biometric or use a biometric based system? This should include, where possible, exempting persons who cannot use the biometric system for reasons of disability, inability to enroll, conscientious objection or religious beliefs. Describe how you would do this, especially describing any alternative access in real time or at a later date.

b) If system managers cannot provide the above exemptions will you document the reasons? You must provide those generic and specific records for later privacy audit and accountability reasons. 23




PRINCIPLESPrinciple Nine: Accountability

a) Do you have a trained and trusted officer or designated external consultant who is accountable for the design and management of privacy protection? Who is that person and what are their credentials for this task?

b) In dealing with contractors and external consultants who design, build or operate your biometrics systems how will you ensure that privacy protections and accountability are designed into the systems and that contracted obligations to protect privacy are in place and are monitored and audited regularly? 24




PRINCIPLESPrinciple Ten: Sharing of Biometric Data

Will you have in place procedures where all individual data subjects are informed in advance of circumstances where personal data may be shared with other parties whether for law enforcement purposes, fraud investigations or other purposes related to law and order or commerce? Describe those procedures and the wording of any general and specific warnings provided to the individual data subject.

25




PRINCIPLESPrinciple Eleven: Provision of Advance Warnings of Surveillance

a) Where biometrics are abstracted from or used for surveillance purposes such as in CCTV monitoring, are there forward warnings that such surveillance may take place, except where law enforcement or border control purposes require secrecy? Show what wording you will use in such a notice and how will that notice be displayed or given.

b) Are there documented protective measures in place to prevent subsequent willful or accidental misuse by persons and organisations (including government agencies) that were not given initial authorization to collect or use that personal data? Describe how you would do that.

26




PRINCIPLESPrinciple Twelve: Transmission of Biometric Data beyond National Boundaries.

a) If you are transferring personal data, especially biometrics, to another country or jurisdiction will you check that the personal data protection regime in that other country or jurisdiction is equal to or greater than that which prevails in your country? Please describe the key privacy principles that you would compare between the sender and receiver countries.

b) Will you give the individual data subject prior warning (even if generic) that such a transfer may take place? 27




PRINCIPLESPrinciple Twelve: Transmission of Biometric Data Beyond National Boundaries (Continued)

c) How could you design a system which is not reliant upon the need to transfer personal data between countries except for clearly stated law enforcement or border control purposes?

d) Even where technologies and business cases require cross jurisdictional transfers of personal data how do you ensure that you have ongoing responsibility for that data and any linked data such as financial transactions and ecommerce?

e) How have you factored into your planning such far reaching privacy laws as the General Data Protection Regulation (GDPR) where extra territorial reach protects individual European Union citizens even if you, as a collector or processor of personal data, are outside the EU. 28




PRINCIPLESPrinciple Thirteen: Employee Biometric Data Must be Protected

a) Wherever you require employees or job applicants to provide their biometrics and personal data, is that data protected in line with the provisions of Principles Five and Nine?

b) What are those protections, including retention policies for ex-employees or unsuccessful applicants? If that biometric data is retained for longer periods you must document those reasons.

c) Where an employee’s biometric data is collected as part of surveillance, are employees notified beforehand that such surveillance can occur and/or is general policy? How do you do this? 29




PRINCIPLESPrinciple Fourteen: Limit the Extent of Personal Data Exchanged or Retained

a) Describe how you propose to minimize transmission of personal data amongst sub-components of your system. Is there a stop/go permission regime in place or other constraints?

b) Will you ensure that personal data and/or associated biometric data is not retained once its purpose and use has expired unless there is a legal requirement to retain that data or there is informed consent from the individual data subject? Describe what will happen once that purpose and use has expired. 30




PRINCIPLESPrinciple Fourteen: Limit the Extent of Personal Data Exchanged and Retained (Continued)

c) Have you examined the feasibility and usefulness of technologies and systems where the biometric is controlled primarily by the individual data subject? If so, describe how that would work.

d) Have you planned to include policies and technologies which allow erasure of personal data and biometrics (sometimes known as the right

to be forgotten) which features in the European Union’s General Data Protection Regulation? If so, how would you propose to do this?

31




PRINCIPLESPrinciple Fifteen: Maintain a Strong Privacy Environment

a) Will this PIA document identify possible privacy risks and threats and be used to ensure there is a strong privacy environment?

b) Will you ensure privacy accountability within your system by doing the following?

• Maintain time dated privacy logs which encompass strong technical controls and can only be accessed by authorized officers using a biometric

• Maintain records of privacy breaches or incidents

• Document procedures for notification of privacy breaches

• Conduct regular reviews of those privacy logs 32




PRINCIPLESPrinciple Fifteen: Maintain a Strong Privacy Environment (Continued)

c) Will you conduct regular Privacy Audits with the assistance of independent privacy experts in order to assess this PIA’s contribution to a strong privacy environment? Ensure that those audits are readily available.

d) When was your last Privacy Audit and has it been made available during this PIA?

e) Do you have documented procedures in place to repair or re-instate personal data including biometrics that have been damaged or stolen and how do you propose to assist individual data subjects who have experienced identity theft or loss? Do your staff have instructions to be sympathetic and able and willing to resolve those problems in a speedy manner? If so, please produce those instructions. Do you have documented examples of such cases of loss, theft and restitution? 33




PRINCIPLESPrinciple Sixteen: Individual Participation/Data Subject Access

a) In your planned system, do the individual data subjects have access to their own data and do they have the right to have it corrected if there is an error or the data has been degraded? For example, an error may be a biometric sample that has been associated with the wrong name.

b) Do you need to factor in the OECD principles and the EU’s General Data Protection Regulation where individual data subjects have the right to the following?• To obtain from a data controller , or otherwise, confirmation of whether or not the data controller

has information about him or her• To have communicated to him or her their personal data within a reasonable time and at a

reasonable cost,• To be given reasons if that request is denied and have the right to challenge that denial• To challenge the data relating to him or her and, if the challenge is successful, to have the data

erased, rectified, completed or amended• To have guaranteed that personal data should be designed to allow portability so that individual

data subjects can receive their data in commonly used but secure formats for transmission to another controller in another organization. 34


SECTION 6: RECOMMENDATIONS

An independent PIA will typically make recommendations for improving privacy measures. Once completed, the PIA and any recommendations should be included in subsequent audit reports or in applications for trust marks or other reputational certification.

35


SECTION 7: DEFINITIONS

In this section, the Biometrics Institute has provided definitions that, as far as possible, have similar meanings around the world. Some jurisdictions may find some of the definitions unfamiliar and technical persons may want to refine terms but the benefits of attempting some uniformity are obvious.

A further useful reference guide for terminology is the ISO/IEC 2382-37:Information Technology-Vocabulary-Part 37: Biometrics 2012. Note that international standards change slowly.

GLOSSARY

Biometrics, Biometrics System

Means the automated recognition of individuals based on their biological and behaviouralcharacteristics.

CCTV

Closed Circuit Television

Client/Owner/Manager/Controller

A person or entity buying or commissioning a biometric system or service: a client is sometimes used to describe an end user (individual data subject) 36



Contractor

An entity or person who is engaged to conduct services or work on behalf of a major client.

Customer

A person or entity buying and using a biometric system

End User/Individual Data Subject

A person providing and using their own biometric; sometimes called a client when referring to an individual, sometimes called a biometric donor 37



Manager, Data Controller

Those who manage the planning, implementation and ongoing decisions about a biometrics system. A Data Controller is more often used to describe a person who has significant privacy and data compliance.

Minor

A person under the legal age of being able to exercise independent adult responsibility.

Decommission

To take out, in this case, a biometric system.

Privacy Audit

An analysis by an independent third of a project or entity’s privacy environment, covering such critical issues as technical and procedural privacy protection, privacy awareness programs, threats and risks, incident reporting.

Privacy Impact Assessment

A pre-implementation assessment of the impact on privacy of a planned change in business activity, for example the introduction of a biometrics system. 38



Privacy Logs

Auditable logs (documentation) of those who have had access to personal data bases and the reasons for that access. Should also contain records of privacy breaches or incidents and the action taken to investigate and report. The report should also include any conclusions reached plus any systemic improvements that arise from the investigations. Strict access controls should apply to those Privacy Logs, including the use of the accessing person’s biometric, a clear corporate decision about who can access the logs.

Production Environment

Live use of an IT based system as opposed to a separated test or pilot site.

Biometric Data Subject

An individual whose unique biometric data is in the system.

Vendor or Supplier

A seller of services or product

39


SECTION 8: FURTHER READING

Biometrics Institute’s Biometrics Privacy Guidelines, Implementation Plan and Privacy Check List www.biometricsinstitute.org

OECD Privacy Principles http://oecdprivacy.org

European Union General Data Protection Regulation (GDPR) www.eugdpr.org

The ISO standards related to biometrics can be found at www.iso.org

Publications of the Office of the Australian Information Commissioner at www.oaic.gov.au including advice about PIAs, the Privacy Act and Notifiable Data Breaches.

Disclaimer: Use of this publication without permission is prohibited. This publication is suggestion only and the Biometrics Institute and its agents cannot be liable for your implementation of that advice. 40

Documents

CONDUCTING A BIOMETRICS PRIVACY IMPACT ASSESSMENT … · 2019. 11. 8. · •Will the personal data or biometrics be collected from citizens of another country? (which may bring you