Risks, data privacy fears as Spain pilots biometric patient ID system in two cities

A report has flagged risks and data privacy issues with a new biometric patient identification system which Spain is implementing in two autonomous cities, Ceuta and Melilla.

The contract for the project was awarded in 2021 to Dedalus and Facephi to set up an AI-powered system for the identification of at least 170,000 patients using facial recognition technology.

In an investigative report, public interest journalism outlet, Civio, finds that the system has been operational in some primary care clinics in the two cities since November last year, but it is still being piloted in major hospitals.

Civio mentions that it found the risks and data management gaps after obtaining and reviewing the data protection impact assessment (DPIA) of the project.

The report by Civio, which is part of its series on Algorithms, describes the facial recognition system provided by the health service for Ceuta and Melilla (INGESA) as having a very high initial risk.

The review of the DPIA also finds inconsistencies and insufficient data protection guarantees which fall short of international standards. INGESA is also blamed for lack of transparency in its communication about the exact purpose and implementation timeline of the project. The outlet says INGESA didn’t respond to its request for comment.

Other concerns with the system, according to Civio, include the lack of a clear mechanism to get patient consent, the potential for bias and exclusion by the system based on race and gender, and issues of biometric data security which has seen breaches in the health sector in the past.

These concerns have led human rights advocates to fear a pushback from patients the system is intended to serve.

To allay these fears of the population, INGESA has been advised to allow for the use of alternative identification methods such as health cards and passports, properly justify the use and proportionality of the system, and give assurances that the system will not be eventually used for surveillance or as a tool for intrusion into patients’ privacy.

Face biometrics has been hailed as the future of patient identification in health care around the world, but there have also been concerns about risks related to data privacy.

In Spain, the country’s Data Protection Agency (AEPD) has been concerned about facial recognition deployments without proper data protection safeguards. In 2023, for instance, the body fined organizers of the Mobile World Congress 200,000 Euros (about US$220,000) for installing a facial recognition system without prior data protection impact assessment.

The body, early this year, also asked for DPIA details from some football clubs implementing stadium biometrics projects.

Article Topics

biometric identification  |  biometrics  |  data privacy  |  facial recognition  |  patient identification  |  Spain