Singapore data protection agency outlines responsible biometric security uses
The Singaporean Personal Data Protection Commission (PDPC) has published a guideline for the responsible use of biometric data in security applications by residences, building owners, and security companies to protect the data of individuals.
The PDPC is the personal data protection agency of Singapore, and enforces the country’s Personal Data Protection Act (PDPA). The growth in the use of biometric commercial security options integrated with security cameras and closed-circuit TVs for security monitoring with facial recognition, and fingerprint security systems led the PDPC to issue recommendations for the responsible use and safeguarding of biometric data.
After explaining the fundamentals of biometrics, the PDPC guide names unique risks to biometric technology with recommendations for addressing vulnerabilities. For identity spoofing, it suggests anti-spoofing measures like liveness detection, locating facial recognition access control points near a human security guard to deter against spoofing attempts, and ensuring end-to-end system integrity with encryption of data-at-rest and data-in-transit. To minimize error in identification events like false negatives, organizations are urged to set a “reasonable” matching threshold for how their use cases are affected by false positives or false negatives based on industry standards, and supplementing biometric data with other identification measures like access cards. Encryption is advised for all biometric templates to prevent systemic risks like data breaches.
For the governance and protection of biometric data across a lifecycle of collection, processing, storage, and disposal, the PDPC suggests: consent from individuals unless there is an exception, processing biometric samples to biometric templates as soon as possible and only using the biometric template for matching, carrying out matching processes for biometric templates in temporary storage, and only storing biometric templates and disposing the biometric sample as soon as possible. For effective storage, it lists off enforcing safeguards like encryption of templates and samples, introducing a cryptographic salt when encrypting, a strong key management system to protect encryption and decryption keys, and access control measures and logs to prevent unauthorized access. When the biometric data needs to be disposed, the PDPC says corresponding entries should be permanently deleted from the system; and if a system is decommissioned, permanently destroy the data with methods like physical destruction of hard drives.
In a section covering the PDPA’s obligations for the collection, use, and disclosure of biometric data, it lays out when an individual grants consent, creating consent with security monitoring with public disclosures of recording, and what entails legitimate interests for security and business improvement. The law requires organizations storing biometric data to provide access to the samples upon request from the individual in a “reasonable” time frame unless it falls under certain prohibitions, and allow a request for corrections of errors or omissions in their personal data. The PDPC endorses a Data Protection Management Programme to set out an organization’s management policies, application of processes and practices, and roles and responsibilities of staff in the handling of biometric data to maintain accountability and internal governance.