UPDATE – JULY 2025: The UK ICO published “Biometric Data Guidance: Biometric Recognition 1.0” under the UK GDPR. It outlines lawful use, risk mitigation, and individual rights related to biometric recognition systems. The document emphasizes DPIAs, data minimization, fairness, transparency, and protection by design and default. It is the first part of a two-phase release. The second—focused on biometric classification—still expected following an upcoming Call for Evidence. As of June 2025, the ICO’s guidance is undergoing review in light of the newly enacted Data (Use and Access) Act. Further updates are anticipated as the AI and Biometrics Strategy continues to evolve.
ORIGINAL NEWS STORY:
ICO Unveils Guidance on Lawful Biometric Recognition
Hot on the heels of the United Kingdom’s recent release of guidance on AI Assurance and Governance, the Information Commissioner’s Office (ICO) has unveiled its own document. This month, the ICO rolled out guidance on the lawful use of biometric recognition under the UK GDPR, marking the first part of its comprehensive advice on biometric data. The second part, focusing on biometric classification and categorization, is set to be the subject of a Call for Evidence in 2024.
It’s tittled, “Biometric Data Guidance: Biometric Recognition 1.0.” It offers thorough insights into the processing of biometric data while ensuring compliance with data protection regulations. It delves into essential concepts, legal considerations, fairness, transparency, security measures, and individual rights tied to biometric recognition systems.
One of the key highlights of the guidance is the emphasis on conducting Data Protection Impact Assessments (DPIAs) to evaluate risks to individuals’ rights and freedoms. Risks encompass a range of issues, including personal data breaches, biometric false acceptance or rejection, discrimination, and systematic monitoring of public spaces.
Regarding lawful processing, the document outlines various approaches, including consent, explicit consent, substantial public interest, or research purposes. It underscores the importance of fair processing, transparency, and individual rights, such as access, rectification, and erasure of biometric data.
To ensure compliance, organizations are urged to incorporate data protection principles by design and default into their biometric recognition systems. Security measures, such as biometric template protection and data minimization, are highlighted as essential components of safeguarding biometric data.
Bias in Biometric Recognition Systems
Moreover, the guidance addresses the critical issue of bias in biometric recognition systems, offering strategies to mitigate bias effectively. It underscores the need for organizations to assess and address bias to ensure fair and accurate processing of biometric data. The ICO’s guidance provides a robust framework for organizations navigating the complexities of biometric data processing.
Need Help?
You might be wondering how UK regulations, and any other AI regulations and laws, could impact you. Don’t hesitate to reach out to BABL AI. Their Audit Experts are ready to answer your questions and concerns, and provide valuable assistance.
