Canada privacy commissioner wants feedback on new biometric data processing guidelines

The Office of the Privacy Commissioner of Canada (OPC) is seeking help with some biometric housekeeping as it rolls out new guidelines on how to responsibly handle and process biometric information. In a formal announcement, the OPC put out a call for feedback on the draft documents from stakeholders in the biometrics sector, in a move to bring its published guidelines in line with the contemporary realities of cybersecurity, fraud and digital ID.

Commissioner Philippe Dufresne says the existing guidelines, published in 2011, are out of date. “From police use of facial recognition technology to a telecommunications company (Rogers Inc.) that did not obtain consent for its voiceprint authentication program, the use of biometrics is surfacing more frequently in our investigative work,” says Dufresne. He lists facial recognition, voice recognition and other biometric systems as examples of technology that have grown beyond the scope of the old guidelines. “This field is growing at a rapid pace and we recognize the need for guidance to help organizations ensure that they use these technologies in a privacy-protective way. This is why we are now reaching out to stakeholders, including the public, for input.”

Two draft documents, one covering private-sector privacy risks under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the other addressing the Privacy Act governing federal institutions, are available for download on the OPC’s website. Feedback is due by January 12, 2024. Broadly, the draft guidelines cover issues including using biometrics for an appropriate purpose, obtaining the necessary consents and abstaining from “profiling or categorization that leads to unfair, unethical, or discriminatory treatment contrary to human rights law.”

They come with “Musts” (must use authentication before ID, must delete biometric information on request) and “Shoulds” (should seek to keep the template in the individual’s control, should use active versus passive biometrics). The draft guidance for federal institutions makes specific mention of the case of the RCMP using a system provided by Clearview AI for facial recognition, which it says constituted a breach of the Privacy Act . “We determined that the company’s online scraping of images and creation of biometric facial recognition arrays from them represented mass identification and surveillance of individuals,” it says.

More information on the call for consultation is available here.

Article Topics

best practices  |  biometric data  |  biometrics  |  Canada  |  data privacy  |  regulation