As already announced, the Italian Data Protection Authority has approved a general normative provision on biometrics, which is in the process of being published in the Official Gazette.
Given the increasingly greater use of devices and technologies for the collection and processing of biometric data mainly for purposes of personal identification, control of access and signing of electronic documents, the Italian Data Protection Authority’s action aims to provide a uniform framework which can be used as the basis for recommending technological choices, adapting processing to the requirements of the Privacy Code and verifying compliance with safety standards.
Biometric data are by their very nature, directly and unequivocally related to an individual and are generally constant over time, which indicates the profound relationship between a person’s body, behaviour and identity. For this reason the adoption of biometric systems for the collection and processing of data may entail specific risks for fundamental rights and freedom as well as for an individual’s dignity.
However, within the varied landscape of technological biometric systems and with a view to simplifying legislation, the Italian Data Protection Authority has identified certain types of data processing which present less risk and which, unlike other types, do not require preliminary verification by the Authority. Exemption is granted on condition that all necessary measures and appropriate technical precautions are taken to achieve the security objectives identified by the measure and that the general requirements of legitimacy provided for by the Privacy Code are met.
There is no need to apply for preliminary verification for the following four types of processing:
In the signing of electronic documents, analysis of biometric data connected with applying a handwritten signature can be used for those graphometric signature systems which form the basis of a solution for advanced electronic signatures. Processing is only permitted with the express consent of the person concerned, which is given on signing up for a graphometric signature service and remains valid for all documents to be signed until it is annulled. Consent is not necessary in the public sphere, where specific institutional objectives are to be pursued. However, alternative systems will still have to be made available, such as paper or electronic forms of signature which do not involve the use of biometric data; in digital authentication the biometric characteristics of a person’s fingerprints or voiceprint can be used as credentials to also access databases and computer systems without the user’s consent; when controlling physical access, it will be possible to process the biometric characteristics of fingerprints or the topographical layout of the hand to allow access to areas considered” sensitive” or to only allow qualified operators access to dangerous machinery and equipment. It will also be possible for processing to be made without the consent of the user; to help facilitate processes, it will be possible to use fingerprints and the topographical layout of the hand to allow physical access for users to physical areas in the public domain (e.g. libraries) or the private sphere (e.g. reserved airport areas). Also in this case, use is only permitted with the consent of the parties concerned and alternative arrangements will in any case still have to be provided for those who refuse to provide their biometric data and refuse permission for the processing of biometric data.
In consideration of the complexity of the matter in relation to the regulations on the processing of personal data, the Italian Data Protection Authority has attached to its provision a document containing the “Guidelines on biometric recognition and graphometric signatures”, which has already been presented for public consultation and a special form to be used for communicating with the Authority in the event of violations of biometric systems. In fact, in order to prevent possible theft of biometric identity, all data breaches or cyber incidents that might impact significantly on biometric systems and the data collected must be communicated to the Italian Data Protection Authority within 24 hours of being discovered.
While awaiting publication of the provision in the Official Gazette, we invite you to browse through it and its relative attachments on the website of the Italian Data Protection Authority.