The paper begins by defining biometric technologies as a method of automatic personal recognition based on physiological or behavioural characteristics. Biometric technologies rely on who you are or what you do, rather than what you know (password, pin numbers etc.). Rapid evolution of biometric technologies are leading to legal concerns. The paper includes a brief survey of important legislation and acknowledgement of a common framework of principles, particularly among EU countries. These principles allow for the collection of data for a specific purpose provided it is relevant and not excessive for the purpose. Section 2 identifies biometric methods and techniques, e.g. fingerprinting, retinal and iris recognition, hand geometry, voice recognition, and then moves on to a discussion about recognition of data.
In Section 3 the issue of the protection of privacy and fundamental rights of citizens is raised. An example given is the collection of fingerprint data: previously used only by law enforcement agencies, the development of fingerprint databases for other uses might increase use of the data for their own purposes by other agencies. Data protection principles in Article 3 of Directive 96/46EC apply to the processing of data by ‘automatic means’ or by other means where the data will be used in a filing system, for example. The Directive does not apply when the data is collected by a private individual for personal purposes. Most countries prohibit the collection and processing of data that would be ‘incompatible with the purpose’ for which it was taken. Biometric data should be stored in such a way as to be accessible to the user only, rather than in a central database. Examples of fingerprint recognition in Portuguese, German and French systems are given. Germany, for example, has permitted biometric data to be included on identity papers where the data is stored in a microchip of the card, and not in a central database. Portugal and Greece have both deemed the use of fingerprint recognition systems for employees to be excessive for the purposes of employee entrance control.
A clear definition of the purposes of biometric data collection is therefore required, along with analysis of the risks for the protection of human rights and privacy. Collectors have a specific duty to inform individuals of the purposes and uses of biometric data, and to ensure that the appropriate data protection authorities are informed. Systems used to collect data without the knowledge of the individual (e.g. cctv for distinct facial recognition or fingerprints at immigration controls) should be used only for public security or by law enforcement agencies. Data that cannot be linked to specific individuals falls outside of the scope of the law. The paper details of various ways of ensuring the privacy of biometric data, e.g. encryption algorithms such one-way use of passwords. These cannot however guarantee security for privacy. Recent research has focussed on majority coding techniques which can combine artificial intelligence techniques to overcome the problems of security.
Information Management & Computer Security Year: 2004 Volume: 12 Number: 1 Page: 125 — 137
Read the paper : http://Emerald Group Publishing Limited