FB pixel

Singapore data protection agency outlines responsible biometric security uses

Singapore data protection agency outlines responsible biometric security uses

The Singaporean Personal Data Protection Commission (PDPC) has published a guideline for the responsible use of biometric data in security applications by residences, building owners, and security companies to protect the data of individuals.

The PDPC is the personal data protection agency of Singapore, and enforces the country’s Personal Data Protection Act (PDPA). The growth in the use of biometric commercial security options integrated with security cameras and closed-circuit TVs for security monitoring with facial recognition, and fingerprint security systems led the PDPC to issue recommendations for the responsible use and safeguarding of biometric data.

After explaining the fundamentals of biometrics, the PDPC guide names unique risks to biometric technology with recommendations for addressing vulnerabilities. For identity spoofing, it suggests anti-spoofing measures like liveness detection, locating facial recognition access control points near a human security guard to deter against spoofing attempts, and ensuring end-to-end system integrity with encryption of data-at-rest and data-in-transit. To minimize error in identification events like false negatives, organizations are urged to set a “reasonable” matching threshold for how their use cases are affected by false positives or false negatives based on industry standards, and supplementing biometric data with other identification measures like access cards. Encryption is advised for all biometric templates to prevent systemic risks like data breaches.

For the governance and protection of biometric data across a lifecycle of collection, processing, storage, and disposal, the PDPC suggests: consent from individuals unless there is an exception, processing biometric samples to biometric templates as soon as possible and only using the biometric template for matching, carrying out matching processes for biometric templates in temporary storage, and only storing biometric templates and disposing the biometric sample as soon as possible. For effective storage, it lists off enforcing safeguards like encryption of templates and samples, introducing a cryptographic salt when encrypting, a strong key management system to protect encryption and decryption keys, and access control measures and logs to prevent unauthorized access. When the biometric data needs to be disposed, the PDPC says corresponding entries should be permanently deleted from the system; and if a system is decommissioned, permanently destroy the data with methods like physical destruction of hard drives.

In a section covering the PDPA’s obligations for the collection, use, and disclosure of biometric data, it lays out when an individual grants consent, creating consent with security monitoring with public disclosures of recording, and what entails legitimate interests for security and business improvement. The law requires organizations storing biometric data to provide access to the samples upon request from the individual in a “reasonable” time frame unless it falls under certain prohibitions, and allow a request for corrections of errors or omissions in their personal data. The PDPC endorses a Data Protection Management Programme to set out an organization’s management policies, application of processes and practices, and roles and responsibilities of staff in the handling of biometric data to maintain accountability and internal governance.

Similar national-level guidelines on biometrics include Vietnam and the UK’s template for data protection impact from surveillance cameras and biometrics.

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News


New FaceTec CLO among avalanche of appointments in biometrics and fraud protection

New executives have been named by biometrics providers FaceTec, Pindrop and Fingerprint Cards, along with C-level appointments by Prove and…


Indonesia issues call for World Bank-backed digital identification project

Indonesia is looking for a company providing consulting services as a part of its upcoming digital transformation project backed by…


Affinidi data sharing framework leverages privacy-preserving open standards

Affinidi, a company specializing in data and identity management, unveiled the Affinidi Iota framework at the WeAreDevelopers World Congress. This…


Sri Lanka set for January biometric passport launch, plans airport upgrades

Sri Lanka is preparing to begin issuing biometric passports with electronic chips embedded as of January, 2025, according to a…


Vending machines with biometric age verification roll out in Germany, US

Vending machines are growing in popularity as a way to sell age-restricted products around the world, with Diebold Nixdorf algorithms…


San Francisco police hit with lawsuit over facial recognition use

In 2019, San Francisco became the first city in the U.S. to ban facial recognition technology, forcing the police and…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events