You may have read about schools introducing identification systems to monitor pupil attendance, and employers introducing 'biometric' systems to monitor staff attendance and working hours. This is indicative of the rapid growth of 'biometric' systems in the world around us, but these schemes have met with a mixed reaction.

The Data Protection Commissioner's policy seems to be to scrutinise biometric systems very carefully. For example, in his recently reported statement on the Abbey Theatre's use of a fingerprint system to allow staff to clock-in for work, he said that he felt it was excessive and not in accordance with data protection laws. Given the stance taken by the Data Protection Commissioner on this issue, it is clear that the introduction of a biometric system for whatever purpose requires a comprehensive analysis, not just in financial or efficiency terms but also in terms of legal compliance.

The Data Protection Acts 1988 and 2003 (as amended) provide for seven principles of data protection. Personal data must:

• be obtained and processed fairly,
  
  
• be complete and accurate and, where necessary, kept up to date,
  
  
• have been obtained for specified or explicit and legitimate purposes ,
  
  
• not be further processed in a manner incompatible with that purpose or those purposes,
  
  
• be adequate, relevant and not excessive o not be kept for longer than is necessary, and
  
  
• be retained subject to appropriate security measures against unauthorised access.

The Data Protection Commissioner, who has responsibility for the area of data protection in Ireland, has expressed concerns about the use of such systems in schools and workplaces. He has issued specific guidance on the issue for schools, colleges and educational institutions, but this guidance should also be reviewed by anyone considering introducing a biometric identification system.

The guidance emphasises that the critical issues to be considered are the proportionality of introducing a biometric system and whether the use of such a system might be considered to be 'excessive' in the circumstances (i.e. is there a need for the system in the first place and are there less intrusive methods available?) It also makes clear the requirement to obtain the written consent of users (and their parents or guardians in the case of minors), and of giving users a clear and unambiguous right to opt out of the system without penalty. These consents need to be carefully drafted to ensure legal compliance.

Individuals (termed 'data subjects' in the legislation) must be provided with information about how their personal data will be used. The Data Protection Commissioner also suggests that a data retention policy be implemented in advance of the introduction of any biometric system. A data retention policy would deal with such issues as how the data will be retained, for how long, what it will be used for and who will have access to it.

Many legal issues arise with record retention. Some records need to be retained for specific statutory purposes (for example, tax and PRSI records) or to ensure that contracts can be enforced. It is best to formulate a data retention policy in writing, with legal assistance, before starting to retain biometric data.

The Data Protection Commissioner also recommends that a documented privacy impact assessment (PIA) should be carried out and sets out a number of issues that might be included in such a PIA. Carrying out a PIA, he asserts, means that an employer is less likely to introduce a system that contravenes the data protection legislation. Some of the issues to be considered in the PIA are: an assessment of the current system in place and its adequacy for the purpose intended and the need to replace it, what other systems are available (and what is the need for a biometric system, in particular, and what it will achieve), the accuracy of the data that the system will collect and process, what procedures will be put in place to prevent abuse, and how consent to the use of the technology will be obtained from users.

In summary, a meaningful consideration of the legal consequences of introducing a biometric system is required prior to its introduction. Data protection laws are there to protect a person's personal information. The proactive approach taken by the Data Protection Commissioner means that legal difficulties may arise unless account is taken of the relevant laws and guidance materials.

Biometric data is information created from the physical or physiological characteristics of a person, for example, fingerprints, the face, hand measurements, voice pattern, DNA or a picture of the iris or retina in the eye. Biometric data can also be created from behavioural data, such as handwriting or keystroke analysis. It is gathered from a person and can then be used to identify or verify the identity of an individual. It is for this reason that data protection principles apply to its use as personal data is being held as a verification record.

For further information please contact Deirdre Kilroy.