Biometric Data UK GDPR: Your Compliance Guide

Key Highlights

• Under UK GDPR, biometric data is classified as special category data, demanding extra protection and strict compliance.
• You must establish one of the lawful bases, often requiring explicit consent, to process this sensitive information legally.
• Conducting a Data Protection Impact Assessment (DPIA) is mandatory before processing biometric data to identify and minimise risks.
• Individuals have strong rights over their data, including access, correction, and erasure, which your organisation must respect.
• Failing to comply can lead to severe penalties and data breaches, damaging both your finances and customer trust.
• Implementing robust data protection measures is crucial to safeguard against unauthorised access and potential harm.

Are you using biometric data in your business? This unique personal information, from fingerprints to faces, is becoming more common. However, handling it comes with significant responsibilities under UK data protection law. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 set strict rules. Understanding these regulations is not just about avoiding heavy fines; it is about building trust and protecting the people whose data you hold. This guide will walk you through your compliance duties.

What exactly counts as biometric data under UK GDPR?

It refers to personal data about a person’s physical, physiological, or behavioural characteristics that allows for their unique identification. Think of fingerprints, facial features, or even voice patterns. Because this data is so personal and unique, it requires careful handling.

The law classifies biometric data as a special category of personal data when used for identification purposes. This status means it gets a higher level of data protection. You need to follow stricter rules for collecting, storing, and using it.

Definition and Types of Biometric Data

Under the UK’s data protection framework, biometric data is defined as personal information resulting from specific technical processing related to a person’s physical, physiological, or behavioural characteristics. The key element is that this processing allows for the unique identification of that individual.

This category includes a wide range of data types. Common examples are fingerprints, facial recognition data, iris scans, and voice recognition patterns. It can even cover behavioural characteristics like your typing rhythm or gait if used to identify you. This personal information is incredibly powerful for security and authentication.

However, its unique nature also creates significant privacy risks. If this data is lost or stolen, the impact can be severe because, unlike a password, you cannot change your fingerprint. This is why understanding its definition is the first step toward responsible handling.

Why Biometric Data Is Special Category Data

Biometric data receives special treatment under data protection law for a very important reason. It is classified as special category data, specifically when it is used for the purpose of unique identification of that natural person. This classification places it in the same category as data on health, race, or political opinions.

The reason for this is its sensitive nature. Because biometric data is unique and permanent, its misuse could lead to significant harm, such as irreversible identity theft. It reveals inherent behavioural characteristics of a natural person that are unchangeable and require extra protection.

This special status means that its processing is prohibited by default. To process it lawfully, you must meet a higher threshold than for other types of personal data. This requirement reflects the serious privacy implications and ensures organisations handle it with the utmost care.

To legally process any personal data, you need a “lawful basis” under UK GDPR. For special category biometric data, the rules are even stricter. You must identify not only a lawful basis from Article 6 of the UK GDPR but also a separate, specific condition for processing from Article 9.

Meeting these dual requirements is fundamental to your data protection compliance. Your processing activities must be justified from the outset. Without fulfilling both conditions, any processing of biometric data is unlawful. Let’s look at the most common condition, explicit consent, and what other legal grounds might apply.

Explicit Consent and Its Requirements

Explicit consent is often the primary legal ground for processing biometric data. Unlike standard consent, “explicit” means it must be confirmed in a clear statement. It cannot be implied; it requires a specific, deliberate affirmative action by the individual. For example, ticking a box that clearly states they agree to the data processing for biometric recognition is a valid action.

To be valid, explicit consent must meet several key consent requirements. You must ensure the consent is:

• Freely given: The person cannot be pressured or forced into agreeing.
• Specific and informed: You must clearly explain what data you are collecting, why you need it, and how it will be used.
• Unambiguous: There should be no doubt that the person has agreed.

An “opt-out” approach, where consent is assumed unless someone objects, is not valid for explicit consent. The individual must actively opt in. This transparency is crucial for building trust and ensuring your data processing is lawful.

Other Legal Grounds for Processing Biometric Data

While explicit consent is common, it is not the only way to lawfully process biometric data. The UK GDPR provides other conditions for situations where consent may not be appropriate or possible. However, these alternative grounds are narrowly interpreted and challenging to apply in practice for biometric identification systems.

Employment, social security and social protection law

Processing may be necessary for carrying out obligations and exercising specific rights in the field of employment, social security and social protection law. This is a separate Article 9(2)(b) condition that allows processing when authorised by UK law or a collective agreement, and it provides appropriate safeguards for employees’ fundamental rights.

However, organisations relying on this ground must:

• Meet the requirements of Schedule 1, Part 1, paragraph 1 of the Data Protection Act 2018
• Have an Appropriate Policy Document (APD) in place
• Demonstrate the processing is necessary for statutory employment obligations or rights, not merely contractual employment arrangements
• Identify the specific legal provision or point to appropriate sources of advice or guidance​

The ICO has taken enforcement action demonstrating the difficulty of justifying biometric systems under employment grounds. In February 2024, Serco Leisure Operating Limited was ordered to stop using facial recognition and fingerprint scanning to monitor employee attendance at 38 leisure facilities. The ICO found that:

• Serco failed to demonstrate why biometric processing was necessary or proportionate when less intrusive means (such as ID cards or fobs) were available
• Employees were not proactively offered genuine alternatives
• The system was presented as a requirement for payment, and the power imbalance made it unlikely employees could refuse

This case illustrates that employment law grounds cannot justify biometric attendance systems where alternative, less intrusive methods are feasible.

Vital interests

Processing biometric data may be lawful when necessary to protect someone’s vital interests—meaning their life is at risk. This ground applies only in emergency situations, typically life-or-death medical scenarios where the individual is physically or legally incapable of giving consent.

For special category data including biometric data, Article 9(2)(c) permits this processing only if the data subject is incapable of giving consent. You cannot rely on vital interests if the individual is capable of consenting but refuses to do so.

Examples include accessing an employee’s medical history after they collapse at work to provide critical information to paramedics, or processing biometric data to identify an unconscious patient requiring emergency treatment.

Substantial public interest

Processing may be necessary for reasons of substantial public interest as laid out in Schedule 1, Part 2 of the Data Protection Act 2018. This schedule contains 23 specific substantial public interest conditions that may apply to functions such as statutory or government purposes, preventing or detecting unlawful acts, or safeguarding children and vulnerable adults.

To rely on this ground, you must:

• Identify which specific Schedule 1 condition applies to your processing
• Demonstrate the public interest is real and of substance, not vague or generic
• Justify why the processing is necessary for that substantial public interest on a case-by-case basis​
• For most conditions, have an Appropriate Policy Document in place
• For some conditions, explain why explicit consent is not appropriate​

Health or social care

Processing may be necessary for purposes including preventive or occupational medicine, assessing an employee’s working capacity, medical diagnosis, provision of health or social care, or management of health or care systems. This relies on Article 9(2)(h) and Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018.

It is vital to understand that simply claiming one of these grounds is not enough. You must be able to demonstrate exactly how your processing meets the specific requirements of the condition you are relying on, including any additional safeguards required by UK law.

Knowing the rules is one thing, but how do you apply them in your daily operations? For UK companies using biometric systems, such as time and attendance solutions, taking practical steps to manage data protection risks is essential for GDPR compliance. Failing to comply with these legal requirements can expose your business to significant penalties and reputational damage.

The first step is to be proactive. Before you even begin processing biometric data, you must assess the potential impact on individuals’ privacy. Key actions include conducting a Data Protection Impact Assessment (DPIA) and implementing strong security measures. The following sections will detail how to carry out these critical tasks.

Data Protection Impact Assessments (DPIA) for Biometric Data

A Data Protection Impact Assessment (DPIA) is a mandatory process under UK GDPR for any processing likely to result in a high risk to individuals. Given its sensitive nature, the processing of biometric data for the unique identification of that natural person almost always requires a DPIA. This assessment helps you identify, understand, and minimise data protection risks before a project begins.

A thorough DPIA should systematically evaluate your proposed processing of biometric data. Key components include:

• A detailed description of the processing operations and their purposes.
• An assessment of why the processing is necessary and proportionate.
• An evaluation of the risks to individuals’ rights and freedoms.
• The measures you plan to put in place to address those risks.

Completing a DPIA is not just a box-ticking exercise. It is a vital tool for ensuring your project is compliant and for demonstrating accountability to the Information Commissioner’s Office (ICO). If you identify high risks that you cannot mitigate, you may need to consult the ICO or seek further legal advice.

Implementing Robust Safeguards and Security Measures

Protecting biometric data from unauthorised access or a breach is a top priority. Your organisation must implement appropriate technical and organisational measures to ensure its security. Failing to do so can result in severe penalties and a loss of trust.

Data minimisation is a core principle of data protection. You should only collect the biometric data that is absolutely necessary for your specified purpose. In addition to this, robust security measures are essential. Consider implementing:

• Encryption to protect data both while stored and during transmission.
• Strong access controls to ensure only authorised personnel can view or handle the data.
• Anonymisation or pseudonymisation techniques where possible to reduce risks.

These technical safeguards should be supported by strong organisational measures, such as regular staff training on data protection policies and procedures. This comprehensive approach is your best defence against security incidents.

The UK GDPR is not just about placing obligations on organisations; it also grants powerful individual rights to people over their personal data. When it comes to biometric data, these rights are particularly important. They empower individuals to maintain control over their most sensitive information, from requesting access to demanding its erasure.

As a business, you have a legal duty to uphold these rights. This means having clear and efficient processes in place to respond to individuals’ requests. Respecting these rights is a cornerstone of good data protection practice and is essential for building a transparent and trustworthy relationship with your customers and employees.

Rights of Access, Erasure, and Restriction

Under data protection rules, every data subject has several key rights concerning the processing of their biometric data. The right of access allows an individual to request a copy of the biometric data you hold about them, along with information on how you use it. You must typically respond to this request within one month.

The right to erasure, also known as the ‘right to be forgotten’, allows individuals to request the erasure of their data under certain circumstances. For example, they can ask for their data to be deleted if it is no longer necessary for the purpose for which it was collected, or if they withdraw their consent.

Additionally, individuals have the right to restrict processing. This means they can ask you to temporarily stop using their data, perhaps while you are verifying its accuracy or if they have objected to the processing. Your organisation must be prepared to handle these requests promptly and fairly.

In summary, understanding and complying with the UK GDPR on biometric data is crucial for British companies. The complexities surrounding biometric data demand careful consideration, from obtaining explicit consent to ensuring robust security measures are in place. By implementing practical steps, such as conducting Data Protection Impact Assessments and respecting individuals’ rights, you can navigate these regulations effectively. Prioritising compliance not only protects your organisation from potential legal issues but also builds trust with your customers.

If you’re looking for more detailed guidance on how to ensure compliance or have specific questions about biometric data processing, don’t hesitate to reach out for assistance.