Ask the Expert

Do privacy regulations protect biometrics information?

As an HR professional, I've noticed that many infosec experts recommend biometrics -- particularly fingerprint recognition -- as a way to secure computer access and data. It would seem that employees' fingerprints or fingerprint templates should be subject to the same privacy rules as other sensitive personal data, but I do not see this issue being addressed from either the human resources or IT/IS arenas. What is your advice regarding the handling of biometric data as personal HR data?

    Requires Free Membership to View

Your first hunch is absolutely correct. Biometric data is still personal information and, as a result, should be treated with the utmost privacy and protected just like any employee data should be. Biometric data is unique and, in some circumstances, its unauthorized release can harm your employees.

But your HR and IT departments may have overlooked that fact since biometrics data doesn't look, act or feel like other personal information. Before allowing user access to a system, the various elements captured by a biometrics system -- fingerprints, voice prints, iris patterns or facial features -- all have to be converted to digital data that can be read by authentication hardware and software. Such digital data is often stored in directories like Active Directory, holding authentication profiles of users that are invisible and inaccessible to HR and IT staff.

Biometrics aren't foolproof though. If the digital data representing a biometric profile is stolen, or sniffed off an insecure network, it can sometimes be copied and reused, similar to how a stolen user ID and password is used. Malicious hackers can then gain access to the system.

On the other hand, biometric data is considered an authentication credential, like a user ID and password, and may not legally be considered personal information equivalent to a Social Security number or account number. You may want to consult your legal or compliance departments to get a precise read on pertinent legislation, like the Sarbanes-Oxley Act (SOX) or the Gramm-Leach-Bliley Act (GLBA), that affects employee records.

More information:

  • Get a glimpse of where biometric authentication is headed.
  • Learn which policies and standards can protect personal data.
  • This was first published in February 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: