02 Apr Biometric Legalities
Recent advancements in computer hardware and software have enabled industry to develop affordable automated biometrics-based identification and verification systems.
This article serves to provide a brief understanding of biometric-based systems and to investigate its application within a legal context.
The Biometric System
Biometric-based identification and verification systems provide a means by which individuals are identified or verified using their unique biological characteristics, such as fingerprints or voice.
Biometric-based systems fall into one of two categories, namely the identification system and the verification system.
In the identification system, or one-to-many system, the biometric information of an individual is compared to all the biometric information stored in a data base in order to obtain a positive match and thus, identify the individual.
In contrast, in the verification system, or one-to-one system, the biometric information of an individual is compared to the biometric information of that specific individual, which is stored in a data base, in order to positively verify the identity of the individual.
Examples of biometric-based systems include fingerprint identification, retina and iris scans, voice analysis and face recognition.
Advantages of Implementing the System
The implementation of biometric-based systems across various industries serves to circumvent the problems faced by conventional personal identification techniques (for example, pin codes and identity documents) and to modernise everyday tasks such as entering a workplace or accessing bank accounts.
What is more, making use of distinguishable and unique biological traits can assist in the alleviation of fraud, both on and off line. Unlike a bank card or a signature, biometric data cannot be replicated or duplicated. It is specifically unique to the individual presenting it and is completely distinguishable from any other person. Therefore the use of biometric-based systems may prove invaluable in not only protecting individuals in their daily transactions but protecting the institutions with whom the entities transact.
Protecting Special Personal Information
Whilst this rapidly developing field of technology will no doubt prove highly beneficial to those implementing it, one should not lose sight of the fact that biometric data is personal information and as such, must be protected.
This personal information, once collected, is stored in a data base, the contents of which needs to be readily available in order to give effect to the verification and identification systems mentioned above. This, in itself, could open the door to abuse of personal information should it not be fully protected.
It is imperative for those wishing to implement a biometric-based identification or verification system to be cognizant of the fact that the collecting, storing and processing of such information is protected by law, which law prescribes certain regulations which must be adhered to.
In November 2013, the Protection of Personal Information Act, 4 of 2013 (“POPI”) was signed into law. Although the vast majority of the Act has not yet been enacted it is advisable for those seeking to collect, store and process personal information to begin observing its provisions so as to ensure total compliance once the Act is fully enacted.
The purpose of POPI is to give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party. It seeks further to regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe minimum threshold requirements for the lawful processing of personal information.
As a general rule, the processing of personal biometric data is prohibited unless the data subject has specifically consented to it. Even once such consent is obtained, POPI prescribes further protocols in respect of special personal information which must be adhered to.
Protocols to be considered include the following:
- Purpose for which the personal information is collected;
- Manner in which the personal information is stored;
- Duration of the storage of the personal information;
- Securing the personal information; and
- Access to the personal information.
As technology develops and progresses it will become increasingly more necessary and progressively easier for biometric systems to be implemented into banking institutions, businesses, hospitals and even government departments. Whilst this will no doubt prove highly advantageous for all involved it is vital that those implementing the system are acutely aware of the requirements imposed on them by the law and stay up to date on the legal implications of effecting such technological developments.
 Proceedings of the IEEE, Vol. 85, No.9 September 1997
 Section 2(a) POPI
 Section 2(b) POPI
 Section 26(a) POPI