Biometric data protection policy guidance in Quebec, update in Vermont and warning in Lithuania
A new guide to implementing biometrics in compliance with Quebec’s data protection laws has been published by the Commission on Access to Information, which is responsible for implementing the Canadian province’s data protection policies.
The ‘Biometrics: Principles to be Respected and Legal Obligations of Organizations’ guide and an updated declaration form to submit for approval of any new biometric database. The form must be completed, filed with and approved by the Commission before a new biometric system is implemented.
The 23-page Guide is intended to make public sector organizations and businesses aware of their responsibilities for protecting biometric data, and to support the compliant establishment of biometric systems, the Commission says.
The document defines biometrics, including behavioral biometrics, reviews applicable legislation, and reviews the obligations of implementing parties before and during biometrics use, including providing access to and opportunity for correction of records.
Vermont extends data protection law to biometrics
Amendments to Vermont’s Security Breach Notice Act defining biometric data as personally identifiable information (PII) has come into effect, Blank Rome Attorney David Oberly writes for cybersecurity publication The Daily Swig.
Data breaches covered under the act require businesses to notify the state’s Attorney General and publicly post a breach notice to the AG’s website. In addition to biometrics, the new definition of PII also includes genetic information and a wider range of government credentials and health data.
Vermont joins Arkansas, California, the District of Columbia, New York, and Washington in amending breach notification laws to include biometric data, according to The Swig, while CCPA and Now York’s Shield Act also define biometrics as personal data.
Sports teams in Lithuania warned
Lithuania’s State Data Protection Inspectorate (VDAI) has cautioned sports clubs that their use of biometrics for access control without performing a data protection impact assessment violates the EU’s General Data Protection Rule (GDPR).
Three different teams were discovered by inspectors to be using fingerprint biometrics to provide physical access control for employees and customers. Employees, however, cannot freely consent to the use of their biometrics, according to the VDAI, due to an imbalance of power with their employer.
The VDAI has instructed them to suspend the policy for customers until an assessment is completed and compliance with all GDPR requirements is ensured, and to stop taking employee biometrics altogether. The organizations are also instructed to make sure all necessary technical and policy security measures are in place.
Data security measures for the processing of biometric data must include clear and detailed definitions of the organization’s policies, employee responsibilities and roles, and information security management measures. Hardware, software and network equipment must be inventoried, basic procedures for data breaches established, and the organizations must ensure that employees are able to handle the data confidentially.
The clubs can use the biometric data of customers who clearly and feely consent, after completing the reviews ordered by the VDAI.