Biometric recognition, or biometrics, refers to the automatic identification of a person based on his or her anatomical or behavioral characteristics or traits.1 Anatomical data is created from the physical characteristics of a person, including a fingerprint, an iris, a retina, a face, an outline of a hand, an ear shape, a voice pattern, DNA, and body odor. Behavioral data includes handwriting and keystroke analysis.2
Advances in technology have vastly increased the available biometric data. Law enforcement, the legal system, and intelligence agencies have been using this information for a long time. For example, the United States Federal Bureau of Investigation operates the Integrated Automated Fingerprint Identification System (IAFIS). The IAFIS is the largest biometric database in the world, housing the fingerprints and criminal histories of more than 70 million subjects in the criminal master file, along with more than 31 million civil prints.3 The EURODAC is a similar fingerprint repository that supports the European Union.
Biometric data is increasingly available in the commercial arena, where it can be co-mingled with other types of data such as social media. This opens up new business opportunities, as well as several governance issues relating to privacy and data retention.
There are two best practices relating to the governance of biometric data, which are discussed in detail in the rest of this chapter:
16.1 Assess the privacy implications relating to the acceptable use of biometric data.
16.2 Work with legal counsel to determine the impact of evolving regulations on the use of biometric data for customers and employees.
Big data governance needs to understand the privacy implications of any biometric data that might be collected by the organization. Case Study 16.1 is from a recent report from the U.S. Federal Trade Commission (FTC) on the potential uses of facial recognition technology in combination with social media.4
Facial recognition technology enables the identification of an individual based on his or her distinct facial characteristics. While this technology has been used in experiments for over thirty years, until recently it remained costly and limited under real-world conditions. However, steady improvements in the technology, combined with increased computing power, have shifted this technology out of the realm of science fiction and into the marketplace. As costs have decreased and accuracy improved, facial recognition software has been incorporated into a variety of commercial products. Today it can be found in online social networks and photo management software, where it is used to facilitate photo organizing, and in mobile apps, where it is used to enhance gaming.
This surge in the deployment of facial recognition technology will likely boost the desire of companies to use data enhancement by offering yet another means to compile and link information about an individual gathered through disparate transactions and contexts. For instance, social networks such as Facebook and LinkedIn, as well as websites like Yelp and Amazon, encourage users to upload profile photos and make these photos publicly available. As a result, vast amounts of facial data, often linked with real names and geographic locations, have been made publicly available. A recent paper from researchers at Carnegie Mellon University illustrated how they were able to combine readily available facial recognition software with data mining algorithms and statistical re-identification techniques to determine, in many cases, an individual’s name, location, interests, and even the first five digits of the individual’s Social Security number, starting with only his or her picture.5
Companies could easily replicate these results. Today, retailers use facial detection software in digital signs to analyze the age and gender of viewers and deliver targeted advertisements.6 Facial detection does not uniquely identify an individual. Instead, it detects human faces and determines gender and approximate age range. In the future, digital signs and kiosks placed in supermarkets, transit stations, and college campuses could capture images of viewers and, with facial recognition software, match those faces to online identities and return advertisements based on the websites specific individuals have visited or the publicly available information contained in their social media profiles.
Retailers could also implement loyalty programs, ask users to associate a photo with the account, and then use the combined data to link the consumer to other online accounts or their in-store actions. This would enable the retailer to glean information about the consumer’s purchase habits, interests, and even movements, which could be used to offer discounts on particular products or otherwise market to the consumer. The ability of facial recognition technology to identify consumers based solely on a photograph, create linkages between the offline and online world, and compile highly detailed dossiers of information, makes it especially important for companies using this technology to implement the appropriate privacy policies.
The FTC report makes a number of recommendations regarding the use of facial data. Organizations should consider these recommendations, summarized below, although they are not currently legally binding:
The use of biometric information continues to expand in the marketplace and the workplace. For example, hospital staff might use biometrics so that they do not have to retype their user names and passwords. Instead, they can use a biometric scan to quickly log into the system when they arrive at a bed or station. As laws and regulations continue to evolve, however, organizations need to consult with legal counsel if they expect to process biometric information for their customers and employees.
Case Study 16.2 provides a summary of the laws and regulations in a few jurisdictions regarding the use of genetic data. In the case of Ireland, the regulations also cover issues relating to the retention period for employee biometric data.
DNA splicing technology has become sufficiently commoditized that some companies are offering low-cost DNA-mapping services. The result is an explosion in the available DNA datasets, which opens up new opportunities. For example, some companies have combined DNA-mapping technology with social networking to map family trees, find relationships people never knew they had, and identify adopted children’s biological parents.7 On the other hand, human genetic information is subject to significant privacy issues. Governments have responded to these privacy issues with new legislation. Here is a brief summary of the laws and regulations in a few jurisdictions:
The Genetic Information Nondiscrimination Act of 2008 prohibits discrimination in health coverage and employment based on genetic information. Although the act does not extend to life insurance, disability insurance, or long-term care insurance, most states also have specific laws that prohibit the use of genetic information in these contexts.
The Association of British Insurers announced a moratorium on the use of genetic testing for any type of insurance other than life insurance over £500,000. Above that amount, insurers will not use adverse predictive genetic test results unless the government has specifically approved the test.8
On January 25, 2012, the European Commission issued a draft General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data. As of the publication of this book, the regulations had not yet gone into effect. However, they contain specific guidance regarding the use of genetic information. The regulations define “genetic data” in very broad terms to mean “all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal development.” The regulations also require organizations that process genetic information to establish a data protection impact assessment.
The Privacy Act governs the disclosure of genetic information based on informed consent.9
The Data Protection Commissioner has recommended that a documented privacy impact assessment be carried out prior to installing a biometric system in the workplace. Here are some of the points that might be included in the privacy impact assessment:10
Advances in technology have greatly increased the volume and types of biometric data. While government organizations have long had access to this information, it is slowly making its way into the commercial arena. This opens up vast new business opportunities, but also requires strict governance relating to privacy and data retention policies.
1. http://biometrics.cse.msu.edu/info.html.
2. Biometrics in the workplace. Data Protection Commissioner of Ireland. http://dataprotection.ie/viewdoc.asp?DocID=244.
3. http://www.fbi.gov/about-us/cjis/fingerprints_biometrics/iafis/iafis.
4. Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. Federal Trade Commission Report, March 2012. Page 45.
5. Acquisti, Alessandro et al. “Faces of Facebook: Privacy in the Age of Augmented Reality.” http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/.
6. Li, Shan and Sarno, David. “Advertisers Start Using Facial Recognition to Tailor Pitches.” Los Angeles Times, Aug. 21, 2011. http://articles.latimes.com/2011/aug/21/business/la-fi-facial-recognition-20110821.
7. Fowler, Geoffrey. “Websites Use DNA to Create Family Trees.” The Wall Street Journal, May 15, 2012.
8. Association of British Insurers news release, April 5, 2011. http://www.abi.org.uk/Media/Releases/2011/04/Insurance_Genetics_Moratorium_extended_to_2017.aspa.
9. www.privacy.gov.au/law/act/genetic.
10. Biometrics in the workplace. Data Protection Commissioner of Ireland. http://dataprotection.ie/viewdoc.asp?DocID=244.