The Catalan Data Protection Authority (Autoritat Catalana de Protecció de Dades) has sanctioned the Universitat Oberta de Catalunya for collecting biometric data from its students through face recognition, in order to verify that they were the ones who were taking the exam and not anyone else.
However, what are the limits established for the processing of biometric data, and what are the requirements for this?
In this article we will discuss...
What is biometric data?
Biometric data is personal data that is used to check the unique physical characteristics and distinctiveness of a person to verify that they are who they claim to be.
These can be physical, physiological or behavioral. They will facilitate the identification of a natural person, through technological systems such as fingerprints, face recognition or voice recognition, among others.
A person contains innumerable sensitive and unique data in their body, which are stored and encoded for later use in identification processes.
Legitimacy of face recognition
At the time of performing a face recognition test, it opens a new dilemma between the interest of the State focused on public safety and the individual right of the citizen.
The GDPR, specifically in Article 9, refers to the special categories of data processing.
Among the data considered sensitive, there are biometric data, for which processing is not permitted, except in the following circumstances:
- The consent of the data subject.
- The processing is necessary for reasons of essential public interest.
In view of this, the AEPD has indicated the need of proportionality before the legitimacy for public interest.
According to art. 9.2 of the Data Protection Law (LOPDGDD), the processing of biometric Data must be included in a regulation with the category of Law.
Therefore, in order to ensure the processing of biometric data is proportional and in accordance with the law, the following requirements must be met:
- Existence of a legal basis that legitimizes the use of the face recognition system (an employment contract, justified legitimated interest or a public interest).
- Examine if the use of this system is proportional and appropriate. That is, ensure that there is no other effective measure less invasive on the privacy of those affected, which achieves the same purpose.
- To carry out an impact assessment, in the context of a processing operation and in relation to its ultimate purposes.
- Take technical and organizational security measures to ensure the availability, confidentiality and integrity of biometric data.
- To include this use of the face recognition system in the register of treatment activities.
- In the case that these necessary requirements are not fulfilled, the use of the face recognition system will be considered disproportionate and invasive with respect to the privacy of data subjects.
Sanction to a Catalan University for face recognition in exams
In the resolution sanctioning the Catalan University that used the face recognition system of its students, it was determined that the processing of biometric data of students is not covered by any of the exceptions contained in the GDPR.
It considered that the proportionality test between the measure taken and the fundamental rights involved had not been passed.
Moreover, it added that there are other less invasive and intrusive methods to control and prevent academic fraud:
“This system does not comply with the principle of lawfulness of processing imposed by the Data Protection Regulation, and that there are other lawful measures that are less intrusive and equally suitable for the prevention of academic fraud.”
Several students reported the University for the use of the face recognition system at the time of taking an exam.
The University claimed that most of its subjects were passed without the need for a final exam, in which this face recognition test was performed. Therefore, there were many students who did not have to be submitted to this biometric system.
The use of the system was proportional and adequate to verify the identity of each of its students when taking an exam.
In addition, it stated that the use of this system was necessary to contrast the face recognition with the photo of the student’s ID card, as well as to contrast it with the different images that were captured of the student during the exam.
Finally, the Catalan Data Protection Authority sanctioned the university with a fine of €20,000.
From Auratech, we are at your disposal.