UPDATE – FEBRUARY 2026:
The Information Commissioner’s Office (ICO) guidance titled “Biometric Data Guidance: Biometric Recognition 1.0” remains in force. But it’s now formally under review following the enactment of the Data (Use and Access) Act 2025, which received Royal Assent on June 19, 2025. The ICO has signaled that the biometric recognition guidance may be updated to reflect amendments to the UK GDPR framework.
The ICO’s 2025–2026 AI and Biometrics Strategy places high-risk biometric deployments—particularly live facial recognition in policing and public-space monitoring—at the center of its regulatory priorities. While the core principles of the existing guidance remain intact, the regulator has indicated that further clarification and refinements are expected.
The anticipated second phase of guidance, focused on biometric classification (including categorization systems such as emotion recognition or demographic inference), has not yet been finalized. A Call for Evidence process is expected to inform that next phase, with publication likely in 2026.
For now, organizations deploying biometric recognition systems must continue to rely on the current 1.0 guidance. Additional updates are expected as the UK’s broader AI and biometrics regulatory framework continues to develop.
ORIGINAL NEWS STORY:
ICO Unveils Guidance on Lawful Biometric Recognition
After the UK’s release of guidance on AI Assurance and Governance, the Information Commissioner’s Office (ICO) unveiled its own document. This month, the ICO rolled out guidance on the lawful use of biometric recognition under the UK GDPR, marking the first part of its comprehensive advice on biometric data. The second part, focusing on biometric classification and categorization, is set to be the subject of a Call for Evidence in 2024.
It’s titled, “Biometric Data Guidance: Biometric Recognition 1.0.” It offers thorough insights into the processing of biometric data while ensuring compliance with data protection regulations. It delves into essential concepts, legal considerations, fairness, transparency, security measures, and individual rights tied to biometric recognition systems.
One of the key highlights of the guidance is the emphasis on conducting Data Protection Impact Assessments (DPIAs) to evaluate risks to individuals’ rights and freedoms. Risks encompass a range of issues, including personal data breaches, biometric false acceptance or rejection, discrimination, and systematic monitoring of public spaces.
Regarding lawful processing, the document outlines various approaches, including consent, explicit consent, substantial public interest, or research purposes. It underscores the importance of fair processing, transparency, and individual rights, such as access, rectification, and erasure of biometric data.
To ensure compliance, organizations are urged to incorporate data protection principles by design and default into their biometric recognition systems. Security measures, such as biometric template protection and data minimization, are highlighted as essential components of safeguarding biometric data.
Bias in Biometric Recognition Systems
Moreover, the guidance addresses the critical issue of bias in biometric recognition systems, offering strategies to mitigate bias effectively. It underscores the need for organizations to assess and address bias to ensure fair and accurate processing of biometric data. Also, the ICO’s guidance provides a robust framework for organizations navigating the complexities of biometric data processing.
Need Help?
You might be wondering how UK regulations, and any other AI regulations and laws, could impact you. Therefore, don’t hesitate to reach out to BABL AI. Their Audit Experts are ready to answer your questions and concerns, and provide valuable assistance.
