Simprints Director lays out guidance for responsible biometrics deployment
British biometric nonprofit Simprints outlined its ideas for responsible biometric deployment in a webinar, establishing a guide for organizations to successfully integrate biometrics with minimal friction.
At a talk titled ‘How do we deploy technology responsibly,’ James Eaton-Lee, the director of privacy, responsible data, and risk at Simprints, unravelled the nonprofit’s view of what responsible use of biometrics entails. He listed principled approaches like “do no harm,” rights-based approaches, and safe programming, adhering to national legislation, and other good practices and technical standards like the NIST.
Simprints partners with a variety of groups in Africa to offer its biometric technology, primarily in healthcare, including vaccination programs.
For other organizations, Eaton-Lee lays out a blueprint for how they could responsibly use biometric technology. He recommends they start from ensuring they have the right methodology for privacy by design principles, looking through design, processes, skills, and capacity. He goes through the importance of having an approach that emphasizes prediction, anticipation, and planning over purely compliance or prevention approaches.
“It’s very unlikely that your organization will achieve any objective that’s safety-critical without a method for embedding some of these things into your work and documenting how you do it that spans planning, delivery, as well as sunset and produces a living, written output that captures your decisions, risk assessment, the steps you’re taking, and how you consulted your stakeholder.”
From there, he says it involves considering funding, a documented approach, and risk management approach to build processes, capacity, and funding for safety by design.
After an organization figures out their understanding of approach and documenting, he says the next step is to find out how to match the intervention to technology in a process he calls problem identification. Questions to ask here would revolve around asking ensuring the biometrics are a good fit for the problem, such as whether re-identification needed; how important is it to identify the right person; how socially acceptable is the biometric; and whether the organization has the money, time and capacity to make it work?
Eaton-Lee says some partners do not have clear sense of what biometrics can do or the benefits. “They’re a really powerful technology, but equally, many of you have experiences with biometrics in the context in which they haven’t been implemented successfully,” which means an organization must ensure the value of identification and whether it will be worth the price.
Once problem identification is complete, he says the next step is selecting the right product and right partner or supplier for the business requirement. Knowing the most appropriate modality is key as they have different levels of maturity and use-cases, Eaton-Lee says, as there are critical differences between using biometrics for identification and verification. Other questions to ask include whether the biometrics have to be integrated into other systems or if the organization has any need for backend data analysis or broader support and capacity building.
Then the organization has to consider their duty to the law around data like funding, designing, building, integration, maintenance, staff, rights and breaches, analysis, and destruction of infrastructure surrounding it. He urges there is clarity about roles and doublechecking whether this is doable in the first place.
Eaton-Lee then summarizes the GDPR and the roles it sets for stakeholders. He says individuals do not really own all their data under GDPR, and if the organization works with vulnerable communities and groups, there may be data that is “legal to share publicly, but could still put people at risk.” To prevent these problems, he urges having access to the right legal templates and tools for sharing data like ‘Controllers in Common’ to get stakeholder responsivities right.
There is also the importance of understanding the context behind the biometric technology, he says, like the civil society perspective, vulnerability of the community, civil understanding and transparency. This should be assessed early on to form the basis of operational considerations like modalities and technical choices like privacy tools and encryption, he adds.
To manage the data, he says to consider the trust, controls, security, safety, and compliance on where you store the data, whether it is user-held, locally hosted, or cloud. While he says an organization should embrace the cloud if it works, data storage should be matched to use-case. Eaton-Lee cautions about inflexibility, and says to be very clear about who does what. There are tricky problems with the cloud, he says, as “Africa has been badly served by cloud points of presence.”
With consideration for people whose data is being collected, Eaton-Lee says it is vital to offer choice when possible and inform them about the purpose of data collection, who you are working with, and long-term uses of their data.
“Without a meaningful social settlement, a mix of consolation information and choice, your implementation is unlikely to be successful,” he says. If you do not offer agency, dignity, and intervention, he says the alternative may be angry or disengaged participants. What Simprints offers is an ongoing conversation with its participants from real-time analytics to reassess their process, rather than a transactional model, for example.
The methods of collecting data responsibly, he says, should at least have a means of embedding fairness and equality which produces a living output. This could include documenting the design where data goes, revealing what happens at the end of the project, conducting a legal and ethical analysis, and creating a privacy impact assessment.
Eaton-Lee also endorses having security requirements, though the GDPR is vague on such implementation. In general, he says the organization should be asking whether they have an information security management system, if they embed security by design programmatically, and anticipate threats.
From threats, he urges having threat models, get vendor due diligence right (elements like sharable vendor policies, secure development lifecycle, risk assessment materials, and independent accreditation like ISO), and cryptographic techniques and privacy preserving technology. He says it is especially important to ask vendors questions.
And to protect biometric data, Eaton-Lee lays out ideas like tokenization and template protection, homomorphic and conventional encryption, and different modes of storing data such as distributed or user-controlled storage.
As the final point, Eaton-Lee delves into the problem of digital borders. As the GDPR imposes some restrictions on the movement of personal data outside Europe, as does other countries with their laws, he says it creates administrative headaches and risks related to keeping data within borders that also produces risk. It is possible to avoid this by minimizing collected data, having curiosity and forethought, and asking what you need to collect. Also, select a vendor who can help make the right decision and write up a risk assessment document early, he says. For large primes, institutional donors or institutional funders, this is a policy that needs careful consideration, he concludes. This is crucial for non-governmental organizations as they often face problems with data seizure, he says.
The webinar is based on a presentation by Simprints during a late-2021 ID4Africa livecast.
Article Topics
best practices | biometric data | biometrics | data protection | data storage | digital identity | identity management | Privacy by Design | responsible biometrics | SimPrints | standards
Comments