FB pixel

Biometric data protection policy guidance in Quebec, update in Vermont and warning in Lithuania

Biometric data protection policy guidance in Quebec, update in Vermont and warning in Lithuania

A new guide to implementing biometrics in compliance with Quebec’s data protection laws has been published by the Commission on Access to Information, which is responsible for implementing the Canadian province’s data protection policies.

The ‘Biometrics: Principles to be Respected and Legal Obligations of Organizations’ guide and an updated declaration form to submit for approval of any new biometric database. The form must be completed, filed with and approved by the Commission before a new biometric system is implemented.

The 23-page Guide is intended to make public sector organizations and businesses aware of their responsibilities for protecting biometric data, and to support the compliant establishment of biometric systems, the Commission says.

The document defines biometrics, including behavioral biometrics, reviews applicable legislation, and reviews the obligations of implementing parties before and during biometrics use, including providing access to and opportunity for correction of records.

Vermont extends data protection law to biometrics

Amendments to Vermont’s Security Breach Notice Act defining biometric data as personally identifiable information (PII) has come into effect, Blank Rome Attorney David Oberly writes for cybersecurity publication The Daily Swig.

Data breaches covered under the act require businesses to notify the state’s Attorney General and publicly post a breach notice to the AG’s website. In addition to biometrics, the new definition of PII also includes genetic information and a wider range of government credentials and health data.

Vermont joins Arkansas, California, the District of Columbia, New York, and Washington in amending breach notification laws to include biometric data, according to The Swig, while CCPA and Now York’s Shield Act also define biometrics as personal data.

Sports teams in Lithuania warned

Lithuania’s State Data Protection Inspectorate (VDAI) has cautioned sports clubs that their use of biometrics for access control without performing a data protection impact assessment violates the EU’s General Data Protection Rule (GDPR).

Three different teams were discovered by inspectors to be using fingerprint biometrics to provide physical access control for employees and customers. Employees, however, cannot freely consent to the use of their biometrics, according to the VDAI, due to an imbalance of power with their employer.

The VDAI has instructed them to suspend the policy for customers until an assessment is completed and compliance with all GDPR requirements is ensured, and to stop taking employee biometrics altogether. The organizations are also instructed to make sure all necessary technical and policy security measures are in place.

Data security measures for the processing of biometric data must include clear and detailed definitions of the organization’s policies, employee responsibilities and roles, and information security management measures. Hardware, software and network equipment must be inventoried, basic procedures for data breaches established, and the organizations must ensure that employees are able to handle the data confidentially.

The clubs can use the biometric data of customers who clearly and feely consent, after completing the reviews ordered by the VDAI.

Article Topics

 |   |   |   |   |   |   |   |   | 

Latest Biometrics News


Best biometrics use cases become clearer as ecosystems mature

Biometrics are for digital identity, socio-economic development, air travel and remote identity verification, but not public surveillance, the most-read news…


UK Biometrics and Surveillance Camera Commissioner role survives as DPDI fails

UK parliament will not pass data protection legislation during the current session, following the announcement of the general election in…


EU watchdog rules airport biometrics must be passenger-controlled to comply with GDPR

The use of facial recognition to streamline air passenger’s travel journeys only complies with Europe’s data protection regulations in certain…


NZ’s biometric code of practice could worsen privacy: Business group

New Zealand is working on creating a biometrics Code of Practice as the country introduces more facial recognition applications. A…


Demonstrating value, integrated payments among key digital ID building blocks

Estonia has achieved an enviable level of user-centricity with its national digital identity system through careful legislation and fostering collaboration…


Strata Identity launches uninterrupted identity services product

There are a few things that can be more annoying than your office computer logging you out of applications because…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events