PDPC issues Guide on Responsible Use of Biometric Data in Security Applications

28 June 2022

On 17 May 2022, the Personal Data Protection Commission (PDPC) updated its website www.pdpc.gov.sg with the “Guide on the Responsible Use of Biometric Data in Security Applications” (“Guide”). The Guide aims to help organisations such as management corporation strata title, building or premise owners and security services companies use security cameras and biometric recognition systems responsibly to safeguard individuals’ biometric data where it is collected, used or disclosed.

Biometric data refers to biometric samples (i.e. data relating to the physiological, biological or behavioural characteristics of an individual) or biometric templates created through technical processing of biometric samples. Examples of biometric samples include facial images, fingerprints and voice recordings. Biometric samples are captured through sensors such as image and audio sensors.

The Guide covers the following:

  • Key considerations in implementing security cameras and biometric recognition systems, and industry best practices for data protection;
  • Obligations and exceptions under the Personal Data Protection Act 2012 applicable to the collection, use and processing of biometric data; and
  • Practical guidance on security cameras for security monitoring and biometric recognition for access control.

According to the Guide, it is important to be familiar with the risks associated with using biometric data, and how systems and processes can be designed to address them. The Guide identifies some of these risks to be identify spoofing, error in identification and systemic risks to biometric templates, and provides recommendations that organisations can consider when they procure or design biometric recognition systems for security applications.

The Guide also recommends that organisations consider implementing governance controls and data protection best practices throughout the different stages of the biometric data life cycle to reduce impact on affected individuals in the event of a breach. Periodic audits should be conducted to ensure compliance with established controls and practices to ensure these have not eroded over time.

The Guide is not intended for individuals who use security cameras or biometric systems in personal or domestic capacities. It is also not intended to address organisations’ use of biometric data for commercial purposes other than in security applications. Future guidance will be provided for the separate and distinct considerations that apply in relation to other commercial use cases.