Biometric personal data, nuances and subtleties of processing

image



The use of biometrics as a method of identification dates back to the distant 19th century. The British colonialists introduced the practice of identifying their Indian counterparts by fingerprints and palm prints. The method was further refined, but it is still used today. In this article, we will try to figure out what belongs to biometric data and what processing features arise for the operator when working with this category of personal data.



What is biometric personal data?



First, let's turn to the definition given in Art. 11 -152 "On personal data" . Biometric personal data is information that characterizes the physiological and biological characteristics of a person, and which is used to establish the identity of the PD subject.



Based on the explanations of Roskomnadzor , physiological data include: fingerprinting data, the iris of the eyes, DNA tests, height, weight, as well as other physiological or biological characteristics of a person, including an image of a person (photograph and video), which make it possible to establish his identity.



For example, a color digital photographic image of the face of the passport holder is the biometric personal data of the document holder. This norm is enshrined in the RF PP No. 125 of March 4, 2010. Here we are talking about a chip inside the first page of a biometric passport (thanks to user t12589645 for corrections). At the same time, it is necessary to take into account the purpose that the operator pursues when processing personal data, but more on that later.



Features of processing biometric personal data



The first thing we see is opening Art. 11 FZ-152 : “Processing of biometric personal data can be carried out only with the written consent of the subject of PD, if the data are used to establish the identity of the subject. This is the main difference between processing this category of PD. For the rest, the operator must be guided by the general requirements of 152-FZ, to the organization of personal data processing.



There are a number of exceptions to this rule, when consent to biometrics is not required, they are given in part 2 of article 11. Written consent is not required in cases where data processing is carried out in connection with:



  • with the implementation of international agreements on readmission;
  • with the administration of justice and the execution of judicial acts;
  • with obligatory state fingerprint registration;
  • in cases stipulated by the legislation of the Russian Federation on defense, counter-terrorism, transport security, anti-corruption, operational-search activity, etc.


In addition to Part 2 of Article 11, there are a number of exceptions regulated by other regulatory legal acts:



  1. Use of the image for state, public or other public interests. For example, such a case can include information (photo or video) related to the performance of their functions by officials and public figures. This exception is recorded in paragraph 25 of the Resolution of the Plenum of the Supreme Court of the Russian Federation No. 16 of June 15, 2010.
  2. The use of the image obtained when shooting in public places or at public events: meetings, concerts, sports competitions, etc. In this case, the image of the subject should not be the main object of use.
  3. The use of photographs and videos for which the citizen received payment. This and the previous paragraph are regulated by Article 152.1 of the Civil Code. "Protection of the image of a citizen"


If the image of a citizen is obtained or used without his consent and is distributed on the Internet, the citizen has the right to demand the removal of this image, as well as the suppression or prohibition of its further distribution.



Purpose of processing biometric personal data



At the beginning of the article, we put forward the statement that it is important to take into account the purpose of processing biometric personal data. Let's try to figure out why this is so important. To do this, let's return to the ILV explanations and the very definition of biometric PD:

Biometric personal data is information that characterizes the physiological and biological characteristics of a person, and which is used to establish the identity of the PD subject.
The key point here: "used to establish the identity of the subject of PD . " In other words, if the operator uses a passport to determine the identity of the owner of the document, then such processing must strictly comply with the requirements of Article 11 of the Federal Law "On Personal Data". Let's break it down with examples:



Your organization uses an access control system (ACS) - it can be a timeformer or an "analog" version in the form of an employee who checks the photo from the database and the one present on your pass or passport. In this case, photographs are used, which are biometric data characterizing physiological features, and the purpose of the processing is to determine the identity of the person presenting the pass. According to Roskomnadzor's explanations, photographs and other biometric data (fingerprints, etc.) used to ensure single and / or multiple access to the protected area refer to the processing of biometric personal data. This procedure should only be carried out with written consent.



Example of improper processing of biometric personal data



image



Let us refer to the Ruling of the Supreme Court of the Russian Federation dated 05.03.2018 No. 307-KG18-101

Following the inspection, Roskomnadzor issued an order to the organization (pool) demanding to stop using customer photos on passes. The violation consisted in the absence of a separate written consent of visitors to the processing of their biometric data, namely photographs.



The arguments given by the operator of personal data that:



  • Visitors gave general consent to the processing of PD,
  • Visitors voluntarily attached photos to their passes
  • PP of the Russian Federation No. 125 does not mention a photo on paper, but only speaks of a "color digital photographic image"


they did not find understanding among the judges and the requirements of the order remained valid.



Correct goals for processing biometric personal data



Let us return to the explanations of Roskomnadzor , in which there are cases where biometric data can be processed in accordance with the general requirements of the Federal Law "On Personal Data". For example, you come to a bank or clinic, where they may also ask you for a passport and scan it or make a copy. But in this case, the goal will be to confirm the implementation of actions by a specific person (concluding an agreement for the provision of services, banking, communication services, etc.) without conducting identification procedures. Such actions will no longer be classified as processing biometric personal data. Accordingly, data processing must be carried out in accordance with the general requirements established by FZ-152.



Quite a thin line, but at the same time it is a very significant moment that can lead to penalties.



Employee's personal file



Also, biometric personal data is not a photograph of an employee stored in a personal file and the signature of the employee. Because all actions that the employer performs using data from a personal file are aimed at confirming their belonging to a specific individual. In this case, the identity of the employee has already been determined and the employer already has his personal data.



In this case, keeping a copy of the passport is considered an offense, because according to Article 65 of the Labor Code of the Russian Federationthe list of personal data stored by the employer is not defined, but this article determines the list of data that the employee presents when concluding an employment contract. These include, in particular, the passport, as an identity document. Keeping a copy of the passport can be classified as an excessive action in relation to the stated purposes of their processing. Here, as an example, I will give an example from the cassation instance of the North Caucasian District.



Filming in public places



image



In the event that video is being taken in a protected area or in public places, these data cannot be considered biometric PDs either, since the owner of the video camera does not use them to identify a specific person. These data can become biometric if transferred to law enforcement agencies and if the transmitted video materials are used to determine the identity of a particular individual.



What should the operator pay attention to when organizing such video filming?



In this case, the operator must inform the visitors that photo and video filming is being carried out in this place. It can be a text plate or a specialized sticker, there are no special requirements for design. In the event that you have fulfilled this simple requirement, then the consent of visitors to hold such events is not required.



If you have installed video surveillance in the work premises, do not forget to inform the employees about it. It is necessary to notify by signature. This requirement is enshrined in the Labor Code of the Russian Federation, Art. 74 and consists in changing the terms of the employment contract.



The goals of the organization of video surveillance



I repeat this again, the definition of processing goals is one of the key tasks of the operator. And the organization of video surveillance is no exception. Objectives must be determined in advance and have legal justification.



For example, if video surveillance is conducted in the office, then it may be: "Recording of possible illegal actions." In health care or food production, the goal may be: “Ensuring the rights of patients, clients or consumers”. Surely, when ordering pizza, you came across the opportunity to watch its preparation using webcams aimed at workplaces.



Moreover, this process should be reflected in the operator's internal documentation. A responsible person with access to the video surveillance system must be identified. This is usually confirmed by an order. In addition, it is necessary to provide for the procedure and terms of storage of videos, as well as the procedure for their deletion. Of course, do not forget about information signs.



The most important thing in one paragraph



Summing up, once again I would like to dwell on the most important points. Read Part 2 of Art. 11 -152 "On personal data" and in all cases that do not fall under them, collect consent to the processing of biometric personal data in writing. Define treatment goals in advance and stick to them strictly. Don't collect redundant information. If you do not know how to interpret this or that requirement of the law, refer to the ILV clarifications or write to them an appeal with your question.



A video about the most common mistakes , registration of the Consent to the processing of personal data can be viewed on the PDMaster YouTube channel , as well as other useful materials on the topic "Personal data".



All Articles