Biometrics are Subject to Privacy Protection
Privacy is one of those topics that causes senior leadership to glaze over and lose focus. And yet, the stakes for not treating personal data correctly could not be higher. In case the definition of what comprises personal information isn’t dizzying enough, enter biometrics. Your fingerprints, iris, palm prints and facial characteristics are all biometrics and a part of your personal data.
Illinois’s Biometric Information Privacy Act has led to some harsh lessons on the importance of the proper collection and handling of fingerprints and other biometric data. When a jury awarded $228 million from railroad giant BNSF Railway Co. to truck drivers whose fingerprints were scanned without proper consent, it highlighted how important it is for organizations to align how they are capturing biometric capture with their privacy compliance programs.
Processes like security access control system intended to restrict access to secure facilities or using facial recognition to unlock an app on a smartphone are no different than collecting someone’s social security number when it comes to the need to obtain consent, provide notice and properly secure and store biometric information. It starts with an organization’s training and raising awareness on the importance of data privacy and the potentially devastating consequences of privacy violations.
Like many categories of compliance, it is important to have a clear understanding of the risks that are nuanced to the organization in order to mitigate those risks, In data privacy, its about what personal data is being collected, from whom, why it is being collected, what rights to these individuals have and what steps the organization is taking to secure it.
Once that information has been gathered and examined in detail, it can then be assimilated into the privacy compliance program. Like most categories of compliance, communication and training is central to the goal of the program taking root and influencing organizational behavior. Many compliance programs give short shrift to training and communications on privacy compliance. In order for a compliance program to be effective, it’s key messages need to be communicated clearly, through a variety of communication channels and frequently in order for those messages to have any positive impact on behaviors.