Dactyloscopic data what?! (Fingerprints)
Fingerprint readers and GDPR
Many of our clients have fingerprint clocking-in/out systems. Is this a GDPR problem? Specifically, GDPR Article 9 affords additional protection to sensitive data, or what GDPR calls a "Special Category of Personal Data". One of these categories is biometric data. GDPR Article 4(14) defines biometric data as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data."
This must surely be the most difficult word in GDPR! Dactyloscopic. We had to look that up in a dictionary. Webster defines this as "identification by comparison of fingerprints." So, is a fingerprint reading access or attendance system collecting sensitive data?
Let's consider three points:
Firstly, several of the fingerprint reading systems we've seen do not actually store the user's fingerprint, but rather undertake a form of fingerprint tokenization. Here's how they work. When the employee - we'll call our sample employee Jan - initially inputs their fingerprint, the systems does indeed scan their fingerprint, but immediately converts that into a digital image, of course, and it does not store that image. It analyses the image, and stores certain reference points based on an algorithm. We'll call this the Reference Points. It is impossible to recreate the fingerprint from the stored data. What then happens is that when Jan scans a finger in the morning as she goes into work, the system checks if the image which has now been input matches any of the Reference Points; if there's a match, it knows that this is Jan and clocks her arrival.
At rest the system does not store fingerprint data as such. It is true that it does store it transiently, and that in itself may be a GDPR problem. But it is a much smaller problem than storing fingerprint data.
Second, note the language of Article 4(14); the definition stipulates: "allow or confirm the unique identification" of an individual. This suggests that fingerprint data need not in itself identify a person, but may be used to confirm their identity. Systems such as described above seem to do that - they 'confirm the unique identification' of an individuals.
Third, dactyloscopic data is just one of the examples of biometric data. Data that relates to physical characteristics of a natural person, is biometric data. Reference Points do seem to relate to 'physical characteristics of a natural person'. On reflection though, it may be argued that Reference Points are an algorithmic representation of such characteristics, and as such are not 'characteristics of a natural person'. This, we suggest, may bring fingerprint readers that do not store fingerprint scans outside of Article 9's protection of special categories of personal data.