Skip to main content
Bulletin

Eight Tips to Smoothly Implement Your Biometric System

Fasken
Reading Time 5 minute read
Subscribe
Share
  • LinkedIn

Overview

Privacy and Cybersecurity Law Bulletin

Biometrics, which involves using physical or behavioural characteristics to identify individuals, is increasingly being adopted in various industries to enhance the efficiency and security of business processes. However, it raises important privacy issues and is only rarely permitted. 

This bulletin describes the requirements for implementing a system that uses biometrics and specifies the penalties for non-compliance.

Biometric characteristics—such as those extracted from one’s hand shape (or “geometry”), facial photograph or fingerprint—are considered personal information because they make it possible to distinguish between different individuals. These characteristics are unique and unchangeable identifiers and naturally raise a high expectation of privacy.

What is a biometric system? See our bulletin Biometrics, Characteristics, Measurements, and Biometric Systems: Why They Must Be Differentiated?

Obligations

Before Collecting Biometric Data

1. Assess the necessity of collecting biometric data.

Issues frequently emerge at this stage. The use of biometrics, whether for securing access to the workplace, recording hours worked, taking temperature readings, or facilitating purchases, is rarely necessary. 

To justify the need to collect biometric data, an organization must meet both of the following criteria:

The purpose for which the information is collected must be legitimate, important and real.

  • The purpose must relate to a real problem, not just a perceived one. The Commission d’accès à l’information (the “CAI”) observes that organizations rarely assess the situation leading to the decision to use a biometric system in a rigorous manner; in other words, the problem that led to this decision is rarely documented.

The infringement of privacy must be proportional to the purpose.

Collection must be a proportional means of achieving this purpose. Practically speaking, this means that

  • the use of a biometric system must be an effective means of achieving the intended purpose;
  • the organization must prioritize less intrusive means of achieving that purpose;
  • the benefits of using a biometric system must outweigh any infringement of employee rights and the adverse consequences that may result from implementing such a system.  

Only one of the twelve reported cases analyzing the “necessity” of a biometric system found that the system was necessary and therefore legal. In practice, the necessity test can be difficult to apply. The sensitive nature of biometrics and the myriad of less intrusive solutions (e.g., using a PIN) account for these difficulties, at least in part.

Document the events and issues that justify the use of biometrics. Generally, an organization cannot implement a system “just in case,” or simply because it’s more convenient to do so.

2. Conduct a privacy impact assessment at the very beginning of the project, namely before data is collected during the enrollment stage. 

3. Disclose the biometric system to the CAI prior to implementation. If the system uses a centralized database, disclosure must be submitted “promptly and not later than 60 days before it is brought into service.”[6]

To do this, the CAI recommends using the following declaration form, only available in French, Formulaire de déclaration d’une banque de caractéristiques ou de mesures biométriques.

4. Limit collection: only the biometric data needed to identify or authenticate an individual should be collected. 

For example, collecting fingerprints from all ten fingers is not justified if only their right index fingerprint is sufficient.

When Collecting Biometric Data

5. Obtain express consent from affected individuals. Consent must be clear, free and informed and given for specific purposes. 

  • The CAI has posted a template consent form online (available in French only).
  • Provide an alternative option in case of refusal.

Note that obtaining consent does not waive the necessity analysis (Tip #1).

After Collecting Biometric Data

6. Respect the purpose(s) identified in your consent form (e.g., recording hours worked). Otherwise, you will have to once again obtain express consent and assess the necessity of any new purpose that was not previously identified.

  • Any additional use of information extracted from previously collected biometric data is strictly prohibited. For example, facial recognition can give an indication of a person’s emotional state at the time of capture—using this secondary information is strictly forbidden. 

7. Apply appropriate security measures. Because biometric data is sensitive personal information, it must be subject to enhanced protection.

  • The CAI recommends, subject to certain exceptions, converting the image of the raw biometric data into a code (encryption), as well as using external, individual or portable storage media, under the control of the affected individual, to store the encrypted biometric characteristics or measurements.
  • Avoid using a biometric system that stores data on a centralized database. Even if biometric data is encrypted, it is preferable for the organization to not be responsible for storing the data.


Destruction

8. All biometric data must be safely and irreversibly destroyed immediately after the stated purpose is fulfilled (e.g., after an employee leaves). Any notes and other ancillary information about an individual’s biometric data (e.g., metadata) must also be destroyed. 

Penalties

Under the Act to Establish a Legal Framework for Information Technology, the CAI can issue orders regarding any biometric database. The CAI has already ordered the destruction of illegally collected biometric data. However, these powers do not appear to extend to biometric systems using decentralized data.

Given the sensitive nature of biometric data, using such data in any system is subject to the penalties provided under privacy laws, such as the Private Sector Act. A company, along with its officers, directors, and representatives, may be subject to penalties. In addition to general legal remedies, a company may be subject to the following consequences:

Chart explaining the consequences to which a company is exposed

Since the implementation of the new penalty regime on September 22, 2023, the CAI has published only one investigation. This investigation concluded that a biometric system had been used illegally, but no sanctions were imposed. Whether this collaborative approach by the CAI will last remains uncertain.

 

Contact the Authors

For more information or to discuss a particular matter please contact us.

Contact the Authors

Authors

  • Soleïca Monnier, Associate | Privacy and Cybersecurity Law, Montréal, QC, +1 514 397 5281, smonnier@fasken.com
  • Iara Griffith, Associate | Privacy and Cybersecurity Law, Montréal, QC, +1 514 397 7596, igriffith@fasken.com

    Subscribe

    Receive email updates from our team

    Subscribe