ARTICLE
27 February 2025

Eight Tips To Smoothly Implement Your Biometric System

F
Fasken

Contributor

Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
Biometrics, which involves using physical or behavioural characteristics to identify individuals, is increasingly being adopted in various industries to enhance the efficiency and security of business processes.
Canada Privacy

Biometrics, which involves using physical or behavioural characteristics to identify individuals, is increasingly being adopted in various industries to enhance the efficiency and security of business processes. However, it raises important privacy issues and is only rarely permitted.

This bulletin describes the requirements for implementing a system that uses biometrics and specifies the penalties for non-compliance.

Biometric characteristics—such as those extracted from one's hand shape (or "geometry"), facial photograph or fingerprint—are considered personal information because they make it possible to distinguish between different individuals. These characteristics are unique and unchangeable identifiers and naturally raise a high expectation of privacy.

What is a biometric system? See our bulletin Biometrics, Characteristics, Measurements, and Biometric Systems: Why They Must Be Differentiated?

Obligations

Before Collecting Biometric Data

1. Assess the necessity of collecting biometric data.

Issues frequently emerge at this stage. The use of biometrics, whether for securing access to the workplace, recording hours worked, taking temperature readings, or facilitating purchases, is rarely necessary.1

To justify the need to collect biometric data, an organization must meet both of the following criteria:

The purpose for which the information is collected must be legitimate, important and real.

  • The purpose must relate to a real problem, not just a perceived one. The Commission d'accès à l'information (the "CAI") observes that organizations rarely assess the situation leading to the decision to use a biometric system in a rigorous manner; in other words, the problem that led to this decision is rarely documented.2

The infringement of privacy must be proportional to the purpose.

  • Collection must be a proportional means of achieving this purpose. Practically speaking, this means that
  • the use of a biometric system must be an effective means of achieving the intended purpose;
  • the organization must prioritize less intrusive means of achieving that purpose;
  • the benefits of using a biometric system must outweigh any infringement of employee rights and the adverse consequences that may result from implementing such a system.3

Only one of the twelve reported cases analyzing the "necessity" of a biometric system found that the system was necessary and therefore legal.4 In practice, the necessity test can be difficult to apply. The sensitive nature of biometrics and the myriad of less intrusive solutions (e.g., using a PIN) account for these difficulties, at least in part.

Document the events and issues that justify the use of biometrics. Generally, an organization cannot implement a system "just in case," or simply because it's more convenient to do so.

2. Conduct a privacy impact assessment at the very beginning of the project, namely before data is collected during the enrollment stage.5

3. Disclose the biometric system to the CAI prior to implementation. If the system uses a centralized database, disclosure must be submitted "promptly and not later than 60 days before it is brought into service."6

To do this, the CAI recommends using the following declaration form, only available in French, Formulaire de déclaration d'une banque de caractéristiques ou de mesures biométriques.

4. Limit collection: only the biometric data needed to identify or authenticate an individual should be collected.

For example, collecting fingerprints from all ten fingers is not justified if only their right index fingerprint is sufficient.

When Collecting Biometric Data

5. Obtain express consent from affected individuals. Consent must be clear, free and informed and given for specific purposes.7

  • The CAI has posted a template consent form online (available in French only).
  • Provide an alternative option in case of refusal.8

Note that obtaining consent does not waive the necessity analysis (Tip #1).

After Collecting Biometric Data

6. Respect the purpose(s) identified in your consent form (e.g., recording hours worked). Otherwise, you will have to once again obtain express consent and assess the necessity of any new purpose that was not previously identified.

  • Any additional use of information extracted from previously collected biometric data is strictly prohibited. For example, facial recognition can give an indication of a person's emotional state at the time of capture—using this secondary information is strictly forbidden.9

7. Apply appropriate security measures. Because biometric data is sensitive personal information, it must be subject to enhanced protection.10

  • The CAI recommends, subject to certain exceptions, converting the image of the raw biometric data into a code (encryption), as well as using external, individual or portable storage media, under the control of the affected individual, to store the encrypted biometric characteristics or measurements.11
  • Avoid using a biometric system that stores data on a centralized database. Even if biometric data is encrypted, it is preferable for the organization to not be responsible for storing the data.

Destruction

8. All biometric data must be safely and irreversibly destroyed immediately after the stated purpose is fulfilled (e.g., after an employee leaves). Any notes and other ancillary information about an individual's biometric data (e.g., metadata) must also be destroyed.12

Penalties

Under the Act to Establish a Legal Framework for Information Technology, the CAI can issue orders regarding any biometric database.13 The CAI has already ordered the destruction of illegally collected biometric data.14 However, these powers do not appear to extend to biometric systems using decentralized data.

Given the sensitive nature of biometric data, using such data in any system is subject to the penalties provided under privacy laws, such as the Private Sector Act. A company, along with its officers, directors, and representatives, may be subject to penalties.15 In addition to general legal remedies, a company may be subject to the following consequences:16

1590208a.jpg

Since the implementation of the new penalty regime on September 22, 2023, the CAI has published only one investigation. This investigation concluded that a biometric system had been used illegally, but no sanctions were imposed.17 Whether this collaborative approach by the CAI will last remains uncertain.

Footnotes

1. Imprimeries Transcontinental inc, 2024 QCCAI 1024350-S ("Imprimeries"), Héritage Ébénisterie Architecturale inc, 2021 QCCAI 1023688-S ("Ébénisterie"), Les 3 Piliers Inc., 2020 QCCAI 1018507-S ("3 Piliers").

2. CAI, Constats sur les horodateurs, 2023 (available in French only).

3. Laval (Société de transport de la Ville de) c X., 2003 CanLII 44085 (CQ), Grenier c Centre hospitalier universitaire de Sherbrooke, 2010 QCCQ 9397, Synergie Hunt International inc. c Trinque Tessier, 2017 QCCQ 13747, 3 Piliers, supra note 1, Imprimeries, supra note 1, par 34.

4. Marché d'alimentation Marcanio et fils inc., 2021 QCCAI 1013956-S, par. 30ff ("Marcanio"), CAI, Réponse à une demande d'accès à l'information concernant les horodateurs biométriques, File AI-2324-196, 26 April 2024 (available in French only).

5. See the CAI Guide sur les ÉFVP and report template (both available in French only).

6. Disclose the biometric system to the CAI prior to implementation. If the system uses a centralized database, disclosure must be submitted "promptly and not later than 60 days before it is brought into service.

7. See CAI, Lignes directrices 2023-1 Consentement : critères de validité, 2023 (available in French only), and Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1, ss 8 and 8.1 regarding informed consent ("Private Sector Act").

8. See Marcanio, supra note 4.

9. An Act to Establish a Legal Framework For Information Technology, CQLR c C-1.1, s 44 para 2 ("ALFIT").

10. Private Sector Act, supra note 7, s 10.

11. CAI, Rétablir l'équilibre, 2016, recommandation 37, p 105 (available in French only).

12. ALFIT, supra note 9, s 44 para 3.

13. Ibid, s 45 paras 2 and 3.

14. See Ébénisterie, supra note 1.

15. Private Sector Act, supra note 2, s 93.

16. See the CAI's general framework on penalties, Cadre général d'application des sanctions administratives pécuniaires (entreprises), 2023 (available in French only).

17. Imprimeries, supra note 1.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More