Search for:

In brief

In May 2022, the Singapore Personal Data Protection Commission (PDPC) published a guide to help organisations collect, use or disclose individuals’ biometric data in a responsible manner (“Guide“). With security applications like security cameras and Closed-Circuit Television Cameras (CCTVs) becoming increasingly commonplace, there have been more cases of organisations mishandling individuals’ biometric data. The release of this Guide serves as a timely reminder for organisations to review their existing measures or implement new measures to ensure that they are dealing with individuals’ biometric data in a responsible manner.


In more detail

While this Guide is not legally binding on individuals and organisations, it reflects the PDPC’s stance with regard to the handling of biometric data in a security setting. Organisations should look into and consider the best practices that are provided in the Guide to ensure that they are in compliance with their legal obligations under the PDPA and are not exposed to legal risks and liabilities.

Target Audience

The Guide is targeted at security applications that use personal data, as well as organisations that use such security applications. The Guide does not apply to individuals who use security or biometric systems for private purposes. The Guide is only intended for organisations’ use of biometric data in security applications, and does not extend to other commercial purposes.

Key Terminology and Processes

  • Biometric data: Biometric samples or biometric templates created through technical processing of biometric samples.
  • Biometric samples: Data relating to the physiological, biological or behavioural characteristics of an individual, including facial images, fingerprints and voice recordings.
  • Biometric templates: Binary representations derived from the application of an algorithm to biometric samples, and are considered anonymised data on their own.

When processing a biometric sample, the algorithm in the biometric system will extract a digital representation of its features or characteristics and transform it into a biometric template. The template will then be used against the presented biometric samples in the process of verifying or identifying individuals.

Best Practices to Collect, Use and Disclose Biometric Data

The immutable nature of biometric data presents risks that organisations need to be aware of when procuring biometric recognition systems for security applications. The table below summarises the different risks associated with biometric recognition technology and the measures that organisations may consider implementing to mitigate the risks.

RisksDescriptionMeasures
Identify spoofingUsing a synthetic object with the physical characteristics of an individual to obtain a positive match in the system– Implement anti-spoofing measures (e.g. liveliness detection) within the system
– Install biometric systems with facial recognition function near a manned security post / security officers
– Encrypt data-at-rest and data-in-transit to prevent possible tampering with biometric data
Error in identificationFalse negatives: Occurs when the threshold for matching is set too high and the system fails to identify enrolled individualsFalse positives: Occurs when the threshold for matching is set too low and the system wrongly identifies a person as an enrolled individual– Consider the impact of false positives and false negatives, and the relevant industry practice and implement a reasonable matching threshold 
– Include additional factors of authentication (e.g. access cards) to complement the existing matching thresholds
Systemic risks to biometric templatesThe uniqueness of a biometric template may be diluted if the algorithm used to create the template is used multiple times by the service provider across different sets of customers– Encrypt biometric templates in databases
– Introduce a salt when encrypting biometric templates
– Consider using customised algorithms to preserve the uniqueness of biometric templates

Apart from being familiar with the risks present in the deployment of biometric recognition technology, it is equally important for organisations to protect biometric data at all stages of their life cycle. Organisations can consider adopting the following best practices:

Life CycleMeasures
Collection– Notify individuals regarding placements of security cameras
– Obtain the consent of individuals before collecting biometric data
Processing / Usage– Limit access to recordings of security cameras
– Process biometric samples collected to extract biometric templates immediately, and only use biometric templates in the process of recognition
– Ensure decrypted biometric templates that are still in the system do not carry out matching processes
Storage– Limit access to the storage databases of security cameras
– For biometric recognition systems, discard biometric samples once biometric templates have been extracted
– Isolate biometric templates from other identifying information of individuals in order to prevent the linking of the two
– Implement safeguards to protect the databases holding the biometric data (e.g. encrypting biometric data, introducing salt to the encryption process etc.)
DisposalPermanently delete biometric data (and any copies made) from the system

Obligations under the PDPA

The Guide discusses some of the purposes that organisations may collect, use or disclose personal data for, which include controlling access to services / premises, maintaining a safe working environment, security monitoring of premises and investigations, and enhancing security operational efficiency for premises.

Organisations may rely on the following exceptions to consent in the PDPA when collecting, using or disclosing the biometric data of individuals:

  • “Publicly available data” exception: Organisations can rely on this exception when collecting biometric samples in public locations or where individuals may be observed by reasonably expected means. It allows organisations to collect, use or disclose the biometric data collected for security purposes.
  • “Legitimate interests” exception: Organisations may collect, use or disclose personal data without first obtaining the consent of an individual if, after conducting a legitimate interests assessment, determines that the legitimate interests of the organisation / other individuals in the security use cases outweigh any likely adverse effect on the individual.
  • “Business improvement” exception: Organisations may rely on this to use the biometric data without consent to improve their crowd management and security operations as part of their business or service offerings.

The other obligations under the PDPA, such as the access and correction obligation, protection obligation, data breach notification obligation and retention limitation obligation similarly apply to biometric data. For access obligation, while obligations may request access to their biometric data, organisations need not disclose biometric templates to individuals. The Guide explains that biometric templates, unlike the samples collected, will not serve any purpose outside the organisation’s biometric recognition system. Further, the PDPC made clear that biometric templates are considered confidential commercial information, and the organisation’s security system may be jeopardized if such information falls into the wrong hands. Organisations are also encouraged to establish a Data Protection Management Programme detailing the organisation’s policies and practices related to the handling of biometric data.

In deciding the type of biometric system to be implemented, an organisation shall consider (i) the purpose, requirements and alternatives to the installation of such systems, (ii) the possibility of minimising the collection of personal data when using biometric systems in fulfilling its business objective, (iii) an individual’s privacy intrusion perception, (iv) context and frequency of using biometric systems, and (v) the potential risks and level of protection conferred by each biometric system.

The complete Guide on Responsible Use of Biometric Data in Security Applications can be accessed here.

Related articles

Singapore: The High Court issues injunction to block potential sale and transfer of NFT

Singapore: Launches World’s first AI Governance Testing Framework and Toolkit

Singapore: Government proposes Codes of Practice to regulate harmful online content on social media

LOGO_Wong&Leow_Singapore

© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Author

Andy Leck is the head of the Intellectual Property and Technology (IPTech) Practice Group and a member of the Dispute Resolution Practice Group in Singapore. He is a core member of Baker McKenzie's regional IP practice and also leads the Myanmar IP Practice Group. Andy is recognised by reputable global industry and legal publications as a leader in his field. He was named on "The A-List: Singapore's Top 100 lawyers" by Asia Business Law Journal 2018. In addition, Chambers Asia Pacific notes that Andy is "a well-known IP practitioner who is highlighted for his record of handling major trade mark litigation, as well as commercial exploitation of IP rights in the media and technology sectors. He's been in the industry for a long time and has always been held in high regard. He is known to be very fair and is someone you would like to be in the trenches with you during negotiations." Furthermore, Asian Legal Business acknowledges Andy as a leading practitioner in his field and notes that he “always gives good, quick advice, [is] client-focused and has strong technical knowledge for his areas of practice.” Andy was appointed by the Intellectual Property Office of Singapore (IPOS) as an IP Adjudicator to hear disputes at IPOS for a two-year term from April 2021. He has been an appointed member of the Singapore Copyright Tribunal since May 2010 and a mediator with the WIPO Arbitration and Mediation Center. He is also appointed as a Notary Public & Commissioner for Oaths in Singapore. He previously served on the International Trademark Association’s Board of Directors and was a member of the executive committee.

Author

Ken Chia is a member of the Firm’s IP Tech, International Commercial & Trade and Competition Practice Groups. He is regularly ranked as a leading TMT and competition lawyer by top legal directories, including Chambers Asia Pacific and Legal 500 Asia Pacific. Ken is an IAPP Certified International Privacy Professional (FIP, CIPP(A), CIPT, CIPM) and a fellow of the Chartered Institute of Arbitrators and the Singapore Institute of Arbitrators.

Author

Ren Jun Lim is a principal with Baker McKenzie Wong & Leow. He represents local and international clients in both contentious and non-contentious intellectual property matters. He also advises on a full range of healthcare, as well as consumer goods-related legal and regulatory issues. Ren Jun co-leads Baker McKenzie Wong & Leow's Healthcare as well as Consumer Goods & Retail industry groups. He sits on the Law Society of Singapore IP Committee and on the Executive Committee of the Association of Information Security Professionals. He is also a member of the Vaccines Working Group, Singapore Association of Pharmaceutical Industries, a member of the International Trademark Association, as well as a member of the Regulatory Affairs Professionals Association. Ren Jun is ranked in the Silver tier for Individuals: Enforcement and Litigation and Individuals: Prosecution and Strategy, and a recommended lawyer for Individuals: Transactions by WTR 1000, 2020. He is also listed in Asia IP's Best 50 IP Expert, 2020, recognised as a Rising Star by Managing IP: IP Stars, 2019 and one of Singapore's 70 most influential lawyers aged 40 and under by Singapore Business Review, 2016. Ren Jun was acknowledged by WTR 1000 as a "trademark connoisseur who boasts supplementary knowledge of regulatory issues in the consumer products industry." He was also commended by clients for being "very responsive to enquiries and with a keen eye for detail, he is extremely hands-on. His meticulous and in-depth approach to strategising is key to the excellent outcomes we enjoy."

Author

Abe is a principal in our Singapore office. His main areas of practice include patents, trade secrets, copyright, and transactional IP for international and domestic clients. With over eleven years of legal experience as a lawyer and over ten years of technical experience as an engineer in the US and Canada, Abe is able to provide commercially oriented legal and technology-specific advice on a wide range of IP issues. Before joining our Singapore office in 2016, Abe was a lawyer in our Baker McKenzie offices in the US (where he passed the US patent bar examination and qualified as a US Registered Patent Attorney (limited recognition)) and Thailand.