Red Cross sees benefits and risk in biometrics use for humanitarian operations
Biometrics use in humanitarian contexts should always be accompanied by data protection impact assessments and other safeguards, The International Committee of the Red Cross says in a new handbook.
The 312-page second edition “Handbook on Data Protection in Humanitarian Action” dedicates one of its 16 chapters to biometrics, and another to digital identity.
The ICRC has previously suggested that biometrics are the greatest challenge to data controls in humanitarian efforts, and established a new policy for handling the sensitive data late in 2019. Other chapters cover specific technologies like big data, drones, and social media.
The handbook was launched during a 12-hour virtual event, Yale Daily News reports, with more than 1,000 people in attendance. The handbook’s authors include employees of humanitarian organizations, data protection authorities, privacy advocates and academics.
The handbook refers to the Resolution on Biometrics adopted by the International Conference of Privacy and Data Protection Commissioners in Montreux, Switzerland in 2005 as a recognition of the data protection implications of biometric data, particularly in passports, identity cards and travel documents. In humanitarian settings, biometrics can enable identification and dignity by confirming the identity of people with no other means of proving who they are. The promise of the technology, however, is not always realized in the field, according to the handbook.
Humanitarian organizations should be sensitive to ethical issues related to national identification systems in certain countries, aware of the possibility of being pressured to hand over biometric data to law enforcement or national security authorities, and take precautions to defend against hackers seeking to steal potentially valuable sensitive personal information.
The handbook identifies nine benefits of biometric technology that are possible, including accuracy, fraud and corruption reduction, increased credibility and efficiency, “putting individual identity and dignity at the heart of Humanitarian Action,” and enabling financial inclusion. Six risks of biometrics use are also pointed out, however, including the risk of false matches, inherent technical difficulties, cultural sensitivities, mission creep, and pressure from various parties to turn over data.
The application of basic data protection principles is discussed, including the legal basis for processing biometric data. Purpose limitation, data minimization, and data retention issues are also explored.
ICRC considers the rights of data subjects, and what constitutes acceptable conditions for sharing biometric data with third parties, such as for processing. International data sharing and the relationship between data controllers and data processors are among the possible complicating factors.
Data protection impact assessments (DPIAs) are noted as important tools that should be implemented whenever humanitarian organizations set out to process biometric information, according to the handbook.
A separate chapter on digital identity categorizes identity as functional, foundational, or conceptual, and sets out a path for humanitarian organizations to implement systems for authentication, identification and verification. Important questions to ask when considering whether to implement a digital identity system are provided, along with possible scenarios for the use of digital ID. This section also refers to biometrics several times, in reference to systems like Aadhaar, establishing digital identity as foundational, legal identity, and again, the relationship between data processors and controllers.
The ICRC also notes ID2020’s advocacy for individuals to control their own digital identities and personal data.