Amidst the chaos of Brexit, many security minded organisations are concerned about the implications of the European Regulation on the Protection of Individuals with regard to the Processing of Personal Data, adopted in 2016 and planned to be enforceable in May 2018.
As an integral component of EU privacy and human rights law; it regulates the processing and distribution of personal data. In essence it will become illegal, or certainly contrary to the regulation, to link the stored data to the individual. Furthermore, the regulation states that personal data should not be processed unless the individual is informed and at least one of a set of strict criteria are met.
Whilst the regulations are designed to protect individual’s rights to privacy, they will have enormous implications for the security industry which now must adapt to comply.
Shaun Oakes, Managing Director of ievo Ltd, the Newcastle-based manufacturer of biometric recognition systems, explains, “The regulation is designed to prevent stored data being linked to individuals and used for purposes other than ensuring the security of whatever system it was designed for and transferring this data to third parties. Biometric data – fingerprint scans in our case – comes under the heading of a ‘special privacy element’ which are forbidden to use and process, unless, and this is very important, one of a number of criteria apply, the most pertinent of which is the data subject has given permission.”
“As all scans are taken either voluntarily (after the individual has given his or her permission) or legitimately to ensure the safety and security of others, the ievo range of biometric systems fully comply with this legislation as they utilise feature-based matching – they do not store the raw biometric data or image; but rather extract a salient set of features known as minutiae from which an individual template is generated.”
“In essence, we use a system of ‘pseudonymisation’ where the data is processed in a manner where it can no longer be attributed to an individual without the use of additional information which is stored separately and subject to strict technical and organisational control.”
“Following a High-Resolution scan of the finger our algorithms separate the foreground from the background of the image; it then enhances the image, detects minutiae points and creates a pattern. It is this pattern that is stored on our controller (which are installed separately from the sensor) which, when combined with encryption using AES (Advanced Encryption Standard) ciphers and further confidential safeguards serve to eliminate tampering. It is important to note that the original scanned image of a fingerprint is never stored.”
“As such, ievo biometric readers fully comply with the new legislation, but many older systems which store biometric and/or personal data of card holders, or those with knowledge of key pad combinations, may well have to review their compliance.”
The process of data extraction from a typical fingerprint scan creates an encrypted pattern, no fingerprint image is stored.
(120)
