Problem solve Get help with specific problems with your technologies, process and projects.

Do privacy regulations protect biometrics information?

Enterprise regulations protect sensitive employee information, but what about biometric data? In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin explains why your fingerprints, voice prints and other personal authentication data need to be treated with the utmost privacy.

As an HR professional, I've noticed that many infosec experts recommend biometrics -- particularly fingerprint recognition -- as a way to secure computer access and data. It would seem that employees' fingerprints or fingerprint templates should be subject to the same privacy rules as other sensitive personal data, but I do not see this issue being addressed from either the human resources or IT/IS arenas. What is your advice regarding the handling of biometric data as personal HR data?
Your first hunch is absolutely correct. Biometric data is still personal information and, as a result, should be treated with the utmost privacy and protected just like any employee data should be. Biometric data is unique and, in some circumstances, its unauthorized release can harm your employees.

But your HR and IT departments may have overlooked that fact since biometrics data doesn't look, act or feel like other personal information. Before allowing user access to a system, the various elements captured by a biometrics system -- fingerprints, voice prints, iris patterns or facial features -- all have to be converted to digital data that can be read by authentication hardware and software. Such digital data is often stored in directories like Active Directory, holding authentication profiles of users that are invisible and inaccessible to HR and IT staff.

Biometrics aren't foolproof though. If the digital data representing a biometric profile is stolen, or sniffed off an insecure network, it can sometimes be copied and reused, similar to how a stolen user ID and password is used. Malicious hackers can then gain access to the system.

On the other hand, biometric data is considered an authentication credential, like a user ID and password, and may not legally be considered personal information equivalent to a Social Security number or account number. You may want to consult your legal or compliance departments to get a precise read on pertinent legislation, like the Sarbanes-Oxley Act (SOX) or the Gramm-Leach-Bliley Act (GLBA), that affects employee records.

More information:

  • Get a glimpse of where biometric authentication is headed.
  • Learn which policies and standards can protect personal data.
  • This was last published in February 2007

    Dig Deeper on Biometric technology

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.