Can biometrics secure the public's data?

Care with the legal issues is key...

Care with the legal issues is key...

With the furore over 25 million missing child benefit records, the public sector's use of personal data has never been under greater scrutiny. Addleshaw Goddard's Paul Bentham says biometrics may be hailed as the ultimate security measure - but the technology is not without hazards.

Ten years ago, it would have been unthinkable to have a society where bank cards had been replaced by iris identification, where passports were a thing of the past and school dinners were paid for using vein recognition.

It would have seemed very Blade Runner or 1984. Well, that future has most definitely arrived with the burgeoning popularity of biometrics. And - surprisingly for IT take-up - the public sector seems to be the first in line.

Biometrics refers to technological methods for distinguishing and recognising humans based on intrinsic physical or behavioural traits. These traits are used to identify people by certain characteristics that are either physiological - such as faces, fingerprints, irises, veins and DNA - or behavioural - such as voices, signatures and keystrokes.

silicon.com's A to Z of Biometrics

Click on the links below to find out everything you'll need to know about biometric security.

A is for Accuracy
B is for Behavioural biometric
C is for Cash machine
D is for Database
E is for Ear
F is for Facial recognition
G is for Gummi bears
H is for Hand geometry
I is for Iris
J is for Juan Vucetich
K is for Keystroke dynamics
L is for Liveness testing
M is for Mobile phones
N is for Network security
O is for Oxford
P is for Palm
Q is for Queues
R is for Registration
S is for Signature verification
T is for Twins
U is for Universality
V is for Voice verification
W is for Walk
X is for X-ray
Y is for Young
Z is for Zurich Airport

There are numerous biometrics technologies, including fingerprint recognition, iris scans, face recognition, voice recognition and even vein and palm recognition.

And organisations can use biometrics in numerous ways. Integration with security systems is a key one, where a biometric measure in addition to standard measures can make systems as watertight as possible. For example, biometric solutions can also be used as a substitute to key cards. The idea is workers simply have their retinas scanned to let them into the building or into restricted areas of the workplace.

Fingerprint or iris recognition is being used at some organisations to enable employees to log on to the network, thus ensuring only authorised employees can access certain parts of the network.

There was an incident at a hospital a few weeks ago where a celebrity's health records were illicitly viewed by 50 employees. Apparently, systems that support electronic patient records - a central part of the National Programme for IT (NPfIT) - produce audit trails of who has accessed what information. NHS chiefs hoped this would be a preventative measure to stop employees accessing things they shouldn't.

But do time-strapped NHS staff have time to police audit trails? It's doubtful. This incidence could easily have been avoided if a biometric solution was used to verify the identity of the personnel accessing the data.

There have also been reports of doctors sharing smart cards, to save logging on and off each time. Abuse of this nature makes it really difficult to trace exactly who has accessed the data and it is a system that will inevitably be prone to security breaches. Again, a biometrics solution would be a much safer solution.

The public sector is of course adopting biometrics in a number of ways, none of which is more high profile and controversial than the ID card scheme.

The scheme, which recent reports say will cost a breathtaking £5.6bn to set up and run over the next 10 years, will use 13 different biometrics, including 10 fingerprints and both irises and face. This information will be recorded when people apply for a card and stored in the new National Identity Register, as well as on their identity cards.

Despite tough criticism, the government argues the scheme will make identity fraud much harder. Ministers claim it could help to kerb illegal immigration, stop large-scale financial fraud - anyone trying to make a big financial transaction would have their biometrics checked - and help to stem terrorist activities by hindering terrorists' use of false identities in money laundering and organised crime.

The scheme has come under harsh criticism, predominantly from civil rights organisations, the media and the opposition, over soaring costs and the threat of infringement of people's privacy.

But in a recent survey by Unisys, it seems that for the UK public, safeguarding personal data is absolutely crucial - out of eight EU nations, the British were the most concerned about data protection. Some 82 per cent thought it was acceptable for government agencies and banks to use biometrics to verify a person's identity.

This would imply the majority, whether they realise it or not, are in favour of the peace of mind and tightened security identity cards will bring.

And the government's use of biometrics in identity management extends beyond passports and workplace access. A school in Scotland has been the first in the UK to use palm vein authentication for paying for school meals.

The scheme is intended to make the school lunch experience more exciting for kids and make it much easier to recognise and speed through all the pupils in the lunch queue. It has also helped to dissolve the social barriers that exist in the school canteen, as there is no longer the need for meal tickets for children whose parents are on benefits or disability. The solution, developed by Yarg Biometrics and Fujitsu Services, has been a runaway success.

Government organisations are swiftly recognising the benefits biometrics can bring but the most crucial issues to do with this technology are the legal ones. And although there are evident advantages, biometrics does have its detractors and none more so than the civil liberty camp. This means the legal minefield has to be very carefully negotiated, particularly where employees, patients and students are concerned.

Data breaches are also an issue with biometrics. Organisations therefore have to ensure that all stored biometric data is absolutely airtight and as impervious to attacks and hacking as possible. This has to be very tightly bound from a contractual perspective, to protect people's data and the organisation from any fallout from data breaches.

Unfortunately, once a biometric is stored in digital form on a computer, any security offered by the biometric identification is at risk, because it can easily be copied from one computer to another.

If an individual's biometric information is compromised or stolen, that individual could no longer use those biometrics to prove his or her identity. Therefore, unless stringent security measures are put in place, the digital storage of biometric data could present a real security risk for facilitating identity theft.

The use of biometric systems must comply with the European Convention on Human Rights and the Data Protection Directive. The relevant legislation in the UK is the Human Rights Act and the Data Protection Act (DPA). Under the Human Rights Act each of us is entitled to respect in our private life, including our life at the workplace.

Under the DPA personal data is required to be processed fairly and for specific limited purposes. Two key principles come into play. First, the principle of proportionality, which means the interference with the private life of the individual must be justifiable by the benefits. Second, the principle of transparency - which means it must be clear how and why information is being used and it must not be used beyond this without prior agreement.

It is possible to deploy biometrics in ways that do not breach the DPA by - for example, justifying the processing on one of the grounds set out in the DPA. Organisations setting up biometric systems will need to be clear about the purpose of the system or scheme and consider carefully how data is collected, stored and accessed. Use of the biometric information will need to be proportionate to the benefits of the scheme

If you compare the UK with Japan, for example, where biometrics are widely used, or Brazil, where they have been using fingerprint identification for voting in elections for years, there is still a lot to do in terms of educating organisations and the general public about the benefits of biometrics.

But careful and sensitive handling of the legal issues will help to allay any fears that the public will have and help organisations feel confident about integrating biometric technology. And if the legalities are taken care of, who knows what the biometrics future will hold.

Paul Bentham is a partner in the technology and outsourcing group at Addleshaw Goddard www.addleshawgoddard.com