ARTICLE
28 August 2025

Privacy Commissioner Of Canada Publishes Guidance On Biometrics

TM
Torkin Manes LLP

Contributor

Torkin Manes LLP logo
Torkin Manes LLP is a full service, mid-sized law firm based in downtown Toronto. Our clientele ranges from public and private corporations, to financial institutions, to professional practices, to individuals. We have built our firm from the ground up—by understanding our clients’ business needs, being results-oriented, practical, smart, cost-effective and responsive.
Explore Firm Details
Lexpert Firm Profile
On August 11, 2025, the Office of the Privacy Commissioner of Canada ("OPC") released new guidance on the use of biometric technologies, including facial recognition, fingerprint scanning and voice identification.
Canada Privacy
Roland Hung and Laura Crimi
Your Author LinkedIn Connections

Introduction

On August 11, 2025, the Office of the Privacy Commissioner of Canada ("OPC") released new guidance on the use of biometric technologies, including facial recognition, fingerprint scanning and voice identification. The guidance, developed for public institutions and private organizations, reflects growing concerns about the privacy risks of emerging biometric programs.

Biometric technology uses unique human characteristics to authenticate or identify individuals. There are two main types of biometric technologies: physiological (to do with body shape or structure) and behavioural (to do with a person's movements, characteristics, gestures or motor skills). While these tools may enhance efficiency and security, biometric information is highly sensitive: it is closely tied to an individual's body, stable over time, and difficult or impossible to change.

Biometric data brings serious privacy concerns, it can enable surveillance, expose individuals to identity theft or fraud, and reveal sensitive details such as health conditions, race, gender or familial ties. Against this backdrop, the OPC's guidance outlines key principles to help organizations navigating legal obligations and ethical considerations when handling biometric information.

Key Principles

The OPC guidance provides a framework for compliance and responsible deployment of biometric initiatives, which must be carefully assessed before implementation to ensure there is an appropriate purpose for the information's collection, use and disclosure. Whether in the public or private sector, organizations must ensure lawful authority, proportionality and meaningful privacy protections.

  1. Lawful Authority and Appropriate Purposes (Collection, Use and Disclosure)
    • The first step for organizations planning a biometric initiative involves ensuring the institution has lawful authority for the collection, use and disclosure of biometric information.
    • Public sector: Federal institutions must demonstrate lawful authority under the Privacy Act to collect biometric information. The information must directly relate to a government program or activity. Per subsection 5(2) of the Privacy Act, individuals whose information is being collected must be informed of the purpose of collection.
    • Private sector: Under the Personal Information Protection and Electronic Documents Act ("PIPEDA"), organizations must identify a legitimate need for using biometrics. The proposed biometric program should be effective, minimally intrusive and proportionate to its purpose. The OPC has cautioned against "no-go zones" of unreasonable data collection, including mass surveillance, those likely to cause significant harm, or those involving discriminatory treatment per human rights laws.
  2. Consent
    • Consent must be valid, informed and meaningful. Individuals must be told what biometric information will be collected, why it is needed, who it may be shared with and any risks of harm.
    • Where biometrics are not integral to the service, alternatives must be offered (for example, providing a non-biometric method for customer authentication).
  3. Assessing Privacy Impacts (Necessity and Proportionality) Prior to launching a biometrics initiative, institutions should complete a privacy impact assessment. Organizations must show that biometric initiatives are:
    • Necessary for a specific, legitimate and defensible objective;
    • Effective and reliable in achieving that purpose;
    • Minimally intrusive, with no less invasive alternatives available; and
    • Proportional, ensuring that privacy impacts are commensurate to the benefits gained.
  4. Limiting Collection, Use and Retention Organizations should only collect and use the biometric characteristics strictly necessary for the noted purpose. This involves:
    • Favouring verification (one-to-one) systems over identification (one-to-many), where feasible;
    • Avoiding large, centralized biometric databases;
    • Avoiding the extraction of secondary information unless authorized by law or consent;
    • Limiting disclosure; and
    • Retaining biometric information only as long as necessary, ensuring secure destruction once no longer required.
  5. Safeguards Safeguards involve protective measures for personal information against loss, theft or unauthorized access. Biometric information must be secured with physical, administrative and technical measures proportionate to its sensitivity. Best practices include:
    • Encryption during storage and transmission;
    • Regular penetration testing and vulnerability assessments;
    • Control of employee access; and
    • Breach reporting.
  6. Accuracy Errors in biometric recognition can lead to wrongful denial of services or misidentification, with disproportionate effects on marginalized groups. Best practices include:
    • Choosing technologies with appropriate accuracy rates;
    • Testing systems in real-world conditions and across demographic groups to minimize bias and discrimination;
    • Monitoring accuracy on an ongoing basis, as system updates can affect performance; and
    • Developing procedures for false positives and negatives, ensuring timely resolution and human review where decisions have significant consequences.
  7. Accountability Organizations remain responsible for biometric information under their control, even when using third-party service providers. The OPC has stressed that accountability cannot be outsourced. Obligations include:
    • Due diligence on service providers' practices;
    • Contracts and information-sharing agreements that embed privacy protections;
    • Clear governance structures, audit rights and breach response plans; and
    • Employee training and oversight.
  8. Openness and Transparency
    Transparency is central to building trust and ensuring accountability with biometrics systems. Organizations should:
    • Provide privacy notices to individuals whose biometrics are collected that explain the purpose, authority, risks and the right to submit a complaint to the OPC with privacy concerns;
    • Report consistently on biometric holdings;
    • Be transparent about transfers to service providers, especially if data crosses borders; and
    • Explain automated decisions made using biometrics.

Takeaways and Recommendations

The OPC's guidance makes clear that while biometrics offer security and convenience, their use demands heightened privacy vigilance. Biometric data is inherently sensitive and permanent once compromised, and cannot be changed as easily as a password. Organizations are strongly encouraged to ensure that the biometric programs they adopt are narrow in scope, legally authorized and subject to continuous oversight.

Organizations using biometric data should treat this guidance as essential reading. Although not legally binding, the guidance draws from past investigations and global best practices, offering clear expectations for lawful authority, meaningful consent and robust safeguards.

The authors would like to acknowledge Torkin Manes' Articling Student, Ilar Haydarian, for her invaluable contribution in drafting this bulletin.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Roland Hung
Roland Hung
Photo of Laura Crimi
Laura Crimi
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More