New biometrics guidelines from Canada’s OPC cover public, private sectors

The Privacy Commissioner of Canada has issued new guidance on protecting privacy in biometric initiatives, for both public and private entities. A news release says the publications are prompted by the growing number of organizations using biometric technologies such as facial recognition and fingerprint scanning to verify identity and provide services.

The guidance, which follows a public consultation by the Office of the Privacy Commissioner of Canada (OPC), “addresses key considerations for organizations “when planning and implementing initiatives involving biometric technology.” It encompasses advice on purpose and proportionality in collecting biometric data, and clarifies consent requirements for biometric initiatives, as well as “considerations around transparency, safeguarding data, and accuracy, including testing for biometric systems.”

Following the approval of a national standard for age verification and age estimation, the move is another significant regulatory step for Canada, which has in recent years seen bits of legislation related to digital ID fizzle in an unstable political environment. These guidelines date back to draft versions that were shared for public consultation between November 2023 and February 2024.

Per the release, the OPC received 34 written submissions and met with 31 organizations to discuss stakeholders’ views on the guidance. They included representatives from academia, civil society, business, legal associations, public institutions, and individual members of the public.

Key changes clarify language, add ‘nuance and specificity’

Key changes emerged from the consultation, which are now reflected in the adopted guidelines for the private sector and guidelines for federal institutions.

There is new clarity in terminology, including the definition of sensitive information. The guidance is more closely aligned with legal requirements. “Additional nuance and specificity” have been added to discussions of technical explanations, requirements and best practices. There is fresh guidance on consent and criteria for assessing appropriate purposes for the private sector. And there is “added emphasis on lawful authority and re-organized guidance on impact and risk assessment for the public sector.”

The two documents’ tables of content differ somewhat, with the aforementioned emphasis on lawful authority for collection, use, and disclosure headlining the guidelines for federal institutions.

Regardless, the overarching themes are the same. Make sure you really need to collect biometrics and have a good reason to do so. Be clear and specific about consent and potential privacy impacts. Understand the sensitivity of biometric data, and act accordingly.

“Organizations need to approach the use of biometric information in a privacy-protective way, building privacy considerations at the beginning of any new program or initiative,” says Privacy Commissioner of Canada Philippe Dufresne. “Prioritizing privacy in this way supports innovation and helps create conditions for a more secure and enriching digital society.”

To help navigate the guidance, the OPC has also published “biometrics quick tips” for both businesses and government entities.

Once again, businesses are advised to focus on appropriate purpose, consent, safeguards, and limitations in collection and use. “Use biometric systems that are designed to be privacy-protective, and implement safeguarding measures that are appropriate to the sensitivity of the information.”

Federal institutions must take a more formalized approach, laying the groundwork for biometrics implementations with legal authority and a privacy impact assessment.

Article Topics

biometric data  |  biometric identifiers  |  biometrics  |  Canada  |  data privacy  |  Office of the Privacy Commissioner (OPC)