Data Protection Authority Examines Banks' Use of Fingerprint Technology - International Law Office

Introduction
Biometrics in Banking
Data Protection Authority's General Provisions
Recent Rulings
Comment

Introduction

The use of biometric data in Italy has grown rapidly in the past two years and such data is increasingly integrated into large-scale systems for drivers licences, surveillance, health, identity cards and social benefits. The need for a single means of identification and transaction verification has emerged in various environments in both the public and private sectors.

In Italy, biometric data is used mainly for military and police applications and to control access to:

• buildings (eg, banks, private corporations and public buildings);
• restricted special-purpose sites (eg, research centres);
• computer networks, computer terminals with internet access and other public or private IT facilities; and
• financial networks and banking services.

Various research bodies and industries have focused particularly on:

• fingerprint recognition;
• measurement and superimposition techniques for facial image comparison using three-dimensional morphological analysis;
• behavioural analysis;
• infrared identification (IRID) recognition;
• hand biometrics;
• signature analysis (eg, speed, acceleration and the pressure and angle of the pen); and
• characteristics of computer keyboard use (eg, pressure and typing speed).

At present, the most commonly used technology in Italy is fingerprint recognition technology, followed by face and IRID recognition technology.

Biometrics in Banking

In banking, biometric technology was originally developed for use in systems to control physical access to buildings. However, more recently such technology has also been used to control access to e-banking services.

As the Italian Banking Association's 2007 IT Report explains, the use of biometric technology in the Italian banking sector focuses on fingerprint technology. However, the use of fingerprints in a range of applications - and the use of biometrics generally - must be consistent with Italian privacy legislation. Particular legal problems arise in connection with banks' retention of biometric data.

Data Protection Authority's General Provisions

On October 27 2005 the Data Protection Authority adopted the General Provision on Limitations and Safeguards Applying to the Taking of Fingerprints and Personal Biometric Data by Banks. The general provision states that the taking of fingerprints should not “restrict... a bank customer’s freedom and dignity”. If access to the bank is controlled by a fingerprint system, the bank must ensure that a customer who objects to fingerprinting or is unable to comply with the requirement because of his or her personal circumstances can enter the bank by other means. Alternative precautions may be taken at the bank manager's discretion if necessary, but the customer may not be required to provide fingerprint data. The authority has stated that:

• encrypted data relating to fingerprints and images may not be retained for longer than one week;
• such data must be stored chronologically to allow for prompt retrieval and should be organized as appropriate by recording date;
• a mechanism must be established to erase all information automatically when the prescribed term expires; and
• the retention period may not be increased surreptitiously by the creation of back-up copies.

Recent Rulings

Following enquires into the biometric systems used by certain large banking groups, the authority recently intervened in three cases to prevent the unlawful use of biometrics. The authority ordered the banks in question to comply with the provision’s procedure on using fingerprints and face recognition data to control access to buildings.

Among other things, the authority's decisions require the banks to:

• use biometric data systems only in a manner which is proportionate to the aim of the procedure;
• ensure that such systems are used only in connection with existing and definable risks to the relevant bank, agency or branch;
• provide information on the location of biometric data equipment; and
• install alternative entrances for customers and personnel.

The authority set the banks a deadline of March 14 2008 to evaluate the need to install biometric data systems in their branches and to cease or suspend data processing in connection with such systems.

In the case of certain banks, the authority considered that the use of fingerprints or face recognition systems to control access for bank personnel is disproportionate to the risks that the systems are supposed to address. The authority ordered the banks in question to provide separate or alternative access without biometric data recognition systems for customers who object to fingerprinting or are unable to comply because of their personal circumstances.

Some of the banks assessed by the authority failed to inform it of all of the biometric recognition systems installed or due to be installed in their buildings. The authority ordered the banks to comply with the seven-day retention period for data and images, and to implement the authority's rules on video cameras which are used to monitor automatic teller machines and other service areas.

Comment

The authority exercises particularly close control over the appropriate use of biometric data by banks because of the security implications in the sector. The level of control is arguably even stricter than that imposed elsewhere in the private sector - for example, the authority has previously authorized the use of a fingerprint access system for the personnel of a jewellery company.

The authority's interest in protecting privacy in banking must be set against the increasing use of biometric security systems in the sector and the growth of the biometric systems industry in Italy and the rest of Europe.

For further information on this topic please contact Francesca Besemer at Portolano Colella Cavallo Studio Legale by telephone (+39 06 3974 5437) or by fax (+39 06 3974 5400) or by email (fbesemer@portolano.it).