Singapore’s biometric data guide: potential risks and best practices
Singapore, one of the most innovative economies in Southeast Asia, has been employing the use of biometric data across various sectors.
In May 2022, for instance, migration control was made smoother, as travellers flying out of Changi Airport could undergo biometric screening for verification and therefore not have to present their passports or boarding passes.
There is, however, a risk of organisations mishandling individuals’ biometric data, especially as high-resolution security cameras and closed-circuit television cameras (CCTVs) become more prevalent.
The Singapore Personal Data Protection Commission (PDPC) recently issued a guide on ‘responsible use of biometric data in security applications’. This guide aims to help organisations, building owners, and security companies that use personal data and ensure responsible use of biometric recognition systems.
What is biometric data?
Biometric data refers to biometric samples (data relating to the physiological, biological, or behavioural characteristics of an individual) or biometric templates created through technical processing of biometric samples. Examples of biometric samples include facial images, fingerprints, and voice recordings.
During the processing of a biometric sample, the algorithm in the biometric system will extract a digital representation of its features or characteristics and transform it into a biometric template. The template is then applied against the relevant biometric samples to verify or identify individuals at hand.
Best practices to collect, use and disclose biometric data
Due to the immutable nature of biometric data, organisations need to be aware of the potential risks that may arise when implementing biometric recognition systems for security applications. Some of the risks identified in the guide are identity spoofing, error in identification, and systemic risks to biometric templates.
There are recommendations that organisations can consider.
Protection
The guide also provides recommendations on best practices for protection for biometric data at each stage of its lifecycle.
| Lifecycle | Measures |
| Collection | • Notify individuals about placements of security cameras • Obtain consent from individuals before collecting biometric data |
| Processing/usage | • Limit access to recordings of security cameras • Process collected biometric samples to extract biometric templates immediately, and only use biometric templates for recognition • Ensure decrypted biometric templates within the system do not carry out matching processes |
| Storage | • Limit access to the storage databases of security cameras • Discard biometric samples once biometric templates have been extracted • Isolate biometric templates from other identifying information of individuals to prevent the linking of the two • Implement safeguards to protect the databases holding the biometric data (encrypt biometric data, introduce salt to the encryption process etc.) |
| Disposal | Permanently delete biometric data (and any copies made) from the system |
Personal Data Protection Act obligations to biometric data
The Personal Data Protection Act (PDPA) recognises that organisations may collect, use, or disclose personal data for legitimate purposes. This includes controlling access to a service or premises, maintaining a safe working environment, and monitoring the security of premises and any investigations.
Controlling access to a service or premises
Consent can be obtained from individuals who need to provide their biometric sample for authentication purposes when enrolling for a service or accessing premises. The collection of an employee’s biometric sample is reasonable for the purpose of managing a consistent employment relationship.
Maintaining a safe working environment
On top of controlling employee access to premises, the use of surveillance cameras to monitor and enforce workplace safety requirements is acceptable under the employment exception.
Security monitoring of a premises and investigations
Organisations may rely on the following PDPA exceptions to consent when collecting, using, or disclosing individuals’ biometric data:
- “Publicly available data” exception: This applies to the collection of biometric samples in public locations or where individuals may be observed by expected means.
- “Legitimate interests” exception: Applicable when conducting a legitimate interest assessment and it is found that the organisation’s legitimate interests or other individuals in the security use cases outweigh any adverse effect on the individual.
- “Business improvement” exception: Used to improve the organisation’s crowd management and security operations as part of their business or service offerings.
The guide endorses that a request for access to an individual’s biometric template need not be accepted. This is because biometric templates are considered confidential commercial information and is not usable by the individual for purposes outside of the organisations’ own biometric recognition system.
Furthermore, organisations should implement a Data Protection Management Programme that lays out their management policies, application of processes and practices, as well as roles and responsibilities of staff in handling biometric data.
Securing biometric data
The integrity of a biometric system rests on the robust security arrangement of organisations that protect an individual’s personal data.
The use of biometric data is growing extensively in Singapore today. In the hospitality sector, Metasphere is rolling out their ‘Self Check-In Hub’ system at partner hotels on the island. This enables a seamless check-in experience for guests by using facial recognition to authenticate their identities.
Singapore’s largest car-sharing service, GetGo is also adopting biometric data for faster, simpler customer onboarding.
With recommendations from the PDPC Guide, a more secure environment for any organisation’s biometric system is possible. This will help organisations such as Management Corporation Strata Title (MCSTs), building owners and security services companies, to ensure responsible use of security cameras and biometric recognition systems to safeguard individuals’ biometric data where it is collected, used, or disclosed.
Getting to grips with the gaps in your data protection policies can be time consuming. This is where we can assist your business, in being compliant as we offer a range of data protection services.