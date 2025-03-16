Further reading – ICO guidance What is personal data?

Further reading – European Data Protection Board (EDPB) The EDPB, which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer be directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues The EDPB has not yet adopted guidelines on genetic data under the UK GDPR, but you may find it useful to read the 2004 WP29 working document on genetic data (WP91) and WP29 Opinion 6/2000 on the Genome issue (WP35).

What is biometric data?

Article 9(1) includes in the list of special categories of data:

“biometric data for the purpose of uniquely identifying a natural person”.

The UKGDPR defines biometric data in Article 4(14):

“‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.

The term ‘dactyloscopic data’ means fingerprint data.

Example A gym introduces an electronic fingerprint scanning system. Members scan their fingerprint in order to get through the entrance turnstiles. This system is processing biometric data to identify individual members, so the gym needs a valid condition for processing that special category data.

Example A school introduces an electronic fingerprint scanning system to charge students for their school meals. This system is processing biometric data to identify the individual students, so the school needs a valid condition for processing that special category data. See Also Everything you need to know about: Special Category data - Tacita

Facial imaging and fingerprint data are just two examples, but these are not exhaustive. Many other types of physical, physiological or behavioural ‘fingerprinting’ fall within the definition.

Examples of physical or physiological biometric identification techniques:

facial recognition;

fingerprint verification;

iris scanning;

retinal analysis;

voice recognition; and

ear shape recognition.

Examples of behavioural biometric identification techniques:

keystroke analysis;

handwritten signature analysis;

gait analysis; and

gaze analysis (eye tracking).

If you process digital photographs of individuals, this is not automatically biometric data even if you use it for identification purposes. Although a digital image may allow for identification using physical characteristics, it only becomes biometric data if you carry out “specific technical processing”. Usually this involves using the image data to create an individual digital template or profile, which in turn you use for automated image matching and identification.

All biometric data is personal data, as it relates to an identified or identifiable individual. Biometric data is also special category data whenever you process it “for the purpose of uniquely identifying a natural person”. This means that biometric data will be Special Category Data in many cases.

If you use biometric data to learn something about an individual, authenticate their identity, control their access, make a decision about them, or treat them differently in any way, it is likely that this will be processing for the purpose of uniquely identifying that individual and it will involve processing Special Category Data which requires compliance with Article 9.

If you believe you have a specific use case where you are processing biometric data for one of the purposes outlined above but not for the purpose of uniquely identifying a natural person, such that you are not processing Special Category Data, you should document your organisation’s rationale alongside a risk based analysis and evidence for this decision in your DPIA. In doing so you should be able to clearly demonstrate how you are compliant with applicable data protection law and why your processing should not be seen as for the purposes of unique identification. If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.