The following Best Practices are guidelines for privacy-sympathetic and privacy-protective deployment, providing institutions with an understanding of the types of protections and limitations commonly implemented.  These Best Practices are meant to address the full breadth of biometric applications and technologies, from small-scale physical access to nationwide identification programs. Therefore, it is not expected that any deployment will be compliant with all Best Practices, and non-compliance with one or more Best Practices does not necessarily make a deployment privacy-invasive. If a certain deployment is not compliant, for example, with Best Practices relating to Scope and Capabilities, that deployment will need to comply with Best Practices relating to Disclosure, Auditing and Accountability in order to counterbalance this lack of compliance. It is helpful to think of these Best Practices as providing a wide range of checks and balances against potential privacy-invasive usage.  

The categories of Best Practices are (1) Scope and Capabilities, (2) Data Protection, (3) User Control of Personal Data, and (4) Disclosure, Auditing, Accountability, Oversight.

Scope and Capabilities 

1. Scope Limitation. Biometric deployments should not be expanded to perform broader verification or identification-related functions than originally intended. Any expansion or retraction of scope should be accompanied by full and public disclosure, under the oversight of an independent auditing body, allowing individuals to opt-out of system usage if possible.  

2. Establishment of a Universal Unique Identifier. Biometric information should not be used as a universal unique identifier. Sufficient protections should be in place to prevent, to the degree possible, biometric information from being used as a universal unique identifier. 
   
   Universal unique identifiers facilitate the gathering and collection of personal information from various databases, and can represent a significant threat to privacy if misused. 

3. Limited Storage of Biometric Information. Biometric information should only be stored for the specific purpose of usage in a biometric system, and should not be stored any longer than necessary. Biometric information should be destroyed, deleted, or otherwise rendered useless when the system is no longer operational; specific user information should be destroyed, deleted, or otherwise rendered useless when the user is no longer expected to interact with the system.
   
   This also applies to templates generated during comparison attempts, such as a template generated in the verification stage of a 1:1 application.

4. Evaluation of Potential System Capabilities. When determining the risks a specific system might pose to privacy, the system's potential capabilities should be assessed in addition to risks involved in its intended usage. 
   
   Few systems are deployed whose initial operations are manifestly privacy-invasive. Instead, systems may have latent capabilities, such as the ability to perform 1:N searches or the ability to be used with existing databases of biometric information, which could have an impact on privacy. Although systems with the potential to be used in a privacy-invasive fashion can still be deployed if accompanied by proper precautions, their operations should be monitored: the maximum protections possible should be taken to prevent internal or external misuse.

5. Collection or Storage of Extraneous Information. The non-biometric information collected for use in a biometric verification or identification system should be limited to the minimum necessary to make identification or verification possible. 
   
   In most systems, personal information will already exist independently of the biometric information, such that there is no need to collect personal information again.

6. Storage of Original Biometric Data. If consistent with basic system operations, biometric data in an identifiable state, such as a facial image, fingerprint, or vocal recording, should not be stored or used in a biometric system other than for the initial purposes of generating a template. After template generation, the identifiable data should be destroyed, deleted, or otherwise rendered useless. 
   
   This is to prevent the storage of fingerprints and facial images as opposed to finger-scan and facial-scan templates.

Data Protection

7. Protection of Biometric Information. Biometric information should be protected at all stages of its lifecycle, including storage, transmission, and matching. 
   
   The protections enacted to protect biometric information may include encryption, private networks, secure facilities, administrative controls, and data segregation. The protections that are used within a given deployment are determined by a variety of factors, including the location of storage, location of matching, the type of biometric used, the capabilities of the biometric system, which processes take place in a trusted environment, and the risks associated with data compromise.

8. Protection of Post-Match Decisions. Data transmissions resulting from biometric comparisons should be protected. Although these post-comparison decisions do not necessarily contain any biometric data, their interception or compromise could result in unauthorized access being granted to personal information. 
   
   This protection is especially important in non-trusted environments such as the Internet.

9. Limited System Access. Access to biometric system functions and data should be limited to certain personnel under certain conditions, with explicit controls on usage and export set in the system. 
   
   Multiple-user authentication can be required when accessing or exposing especially sensitive data. Any access to databases which contain biometric information should be subject to controls and strong auditing.

10. Segregation of Biometric Information. Biometric data should be stored separately from personal information such as name, address, and medical or financial data. 
    
    Depending on the manner in which the biometric data is stored, this separation may be logical or physical. 

11. System Termination. A method should be established by which a system used to commit or facilitate privacy-invasive biometric matching, searches, or linking can be depopulated and dismantled. 
    
    The responsibility for making such a determination may rest with an independent auditing group, and would be subject to appropriate appeals and oversight.

User Control of Personal Data

12. Ability to "Unenroll". Individuals should, where possible, have the right to control usage of their biometric information, and the ability to have it deleted, destroyed, or otherwise rendered unusable upon request. 
    
    This Best Practice is more applicable to opt-in systems than to mandatory systems. In certain public sector and employment-related applications there is a compelling interest for data to be retained for verification or identification purposes, such that the option of unenrollment would render the system inoperable.

13. Correction of and Access to Biometric-Related Information. System operators should provide a method for individuals to correct, update, and view information stored in conjunction or association with biometric information. 
    
    Failure to provide a means of updating personal information is inconsistent with basic privacy principles, and may lead to increased likelihood of erroneous decisions.. 

14. Anonymous Enrollment. Depending on operational feasibility, biometric systems should be designed such that individuals can enroll with some degree of anonymity. 
    
    In web environments, where individuals can assume alternate identities through email addresses or usernames, there may be no need for a biometric system to know with whom it is interacting, so long as the user can verify his or her original claimed identity.

Disclosure, Auditing, Accountability, Oversight

15. Third Party Accountability, Audit, and Oversight. The operators of certain biometric systems, especially large-scale systems or those employed in the public sector, should be held accountable for system use. As internal or external agents may misuse biometric systems, independent system auditing and oversight should be implemented. 
    
    Depending on the nature of a given deployment, this independent auditing body can ensure adherence to standards regarding data collection, storage, and use.

16. Full Disclosure of Audit Data. Individuals should have access to data generated through third-party audits of biometric systems. 
    
    Biometric systems which may pose a potential risk to privacy should be monitored and audited by independent parties; the data derived from such oversight should be available to facilitate public discussion on the system's privacy impact.

17. System Purpose Disclosure. The purposes for which a biometric system is being deployed should be fully disclosed. 
    
    For example, if individuals are informed that the a system is to be used for identity verification, it should not be used for 1:N identification. Without full disclosure of the purposes for which a system is being deployed, it is difficult to make informed assessments on the system's potential privacy impact.

18. Enrollment Disclosure. Ample and clear disclosure should be provided when individuals are being enrolled in a biometric system. Disclosure should take place even if the enrollment templates are not being permanently stored, such as in a monitoring application. 
    
    This includes employees enrolled in a facial-scan system through badge card pictures or drivers’ licenses photos, or telephone callers enrolled in a voice-scan system. Informed consent to the collection, use and storage of personal information is a requirement of privacy-sympathetic system operations.

19. Matching Disclosure. Ample and clear disclosure should be provided when individuals are in a location or environment where biometric matching (either 1:1 or 1:N) may be taking place without their explicit consent.
    
    This would include facial-scan technology used in public areas and fingerprint information taken from employees.

20. Use of Biometric Information Disclosure. Institutions should disclose the uses to which biometric data are to be put, both inside and outside a given biometric system. Biometric information should only be used for the purpose for which it was collected and within the system for which it was collected unless the user explicitly agrees to broader usage. There should be no sanctions applied to any user who does not agree to broader usage of his or her biometric information. 

21. Disclosure of Optional/Mandatory Enrollment. Ample and clear disclosure should be provided indicating whether enrollment in a biometric system is mandatory or optional. If the system is optional, alternatives to the biometric should be made readily available. 
    
    Individuals should be fully aware of their authentication options: There should be no implication that enrollment in a given system is compulsory if it is optional.

22. Disclosure of Individuals and Entities Responsible for System Operation and Oversight. As a precondition of biometric system operation, it should be clearly stated who is responsible for system operation, to whom questions or requests for information are addressed, and what recourse individuals have to resolve grievances.

23. Disclosure of Enrollment, Verification and Identification Processes. Individuals should be informed of the process flow of enrollment, verification, and identification. This includes detailing the type of biometric and non-biometric information they will be asked to provide, the results of successful and unsuccessful positive verification, and the results of matches and non-matches in identification systems. Furthermore, in 1:N systems where matches may be resolved by human intervention, the means of determining match or non-match should be disclosed. 

24. Disclosure of Biometric Information Protection and System Protection. Individuals should be informed of the protections used to secure biometric information, including encryption, private networks, secure facilities, administrative controls, and data segregation.

25. Fallback Disclosure. When available, fallback authentication processes should be available for individuals to review should they be unable or unwilling to enroll in a biometric system. These fallback procedures should not be punitive or discriminatory in nature. 

Next: Biometric Definitions and FAQs