Biometrics is a promising and reliable way to identify a person. There is no need to present unnecessary documents or cards – the personal presence of the person himself is enough. Biometric systems are built into phones and are beginning to be used in banks. However, there are risks because the leakage of biometric data will give attackers full access to operations on behalf of the victim. Therefore, the storage of this information is subject to particularly stringent requirements. In the article, we will analyze the legislative framework relating to biometrics.
The primary law regulating the storage and processing of personal data, No. 152-FZ, appeared in 2006. Since then, it has been significantly supplemented ( Last edition of 07/02/2021 ). Thus, Article 11 of this law stated that biometrics is information that characterizes the physical (subsequently, an addition appeared: “and biological”) features of the subject, which make it possible to establish his identity.
Further, a clarification appeared that operators could process biometric data only with the written consent of a person. Although there is an exception, permission will not be required if the person is a terrorist.
It was agreed that biometrics should be protected from:
- Gaining unauthorized or erroneous access to them
- Destruction or change
- Providing access to them.
Further, there was a standardization at the world level. She touched on fingerprinting, DNA data, as well as facial imaging. In 2008, a resolution appeared on the approval of requirements for physical carriers of biometric PD and technologies for their storage outside information systems.
What Does The Law Say?
Voice data and images of citizens’ faces can be used to identify them. State bodies and banks have the right to collect and process biometric data.
Thanks to this, a person who once visited, for example, a bank branch and registered his biometric samples (face and voice) in the future can be identified by them without presenting additional documents.
The collected data will be stored for up to 50 years, but it can only be used to identify a person for the first three years. After the expiration of the storage period, they will be updated.
The data collection is carried out in the personal presence of the subject, and they will be stored in a single PD information system.
The storage of biometric data should minimize:
- Risks when collecting biometric data.
- Risks when processing requests and working with data
- Threats that appear during remote identification
To avoid this, you must:
- Record all actions of operators,
- Use only certified protective equipment
- Issue electronic signature keys to operators.
- Inform the Central Bank of all incidents.
F fines and other penalties are provided for non-compliance with the rules for working with PD.
Requirements For Organizations
Organizations involved in the collection, processing, and storage of biometric data are subject to the following requirements:
- Access to data should only be available to authorized persons,
- Do not allow overwriting of PD outside the information system,
- It uses a digital signature to prevent unauthorized access to data and preserve its integrity.
- Mandatory availability of written consent of a person to the processing and storage of PD
- The use of encryption means of data protection is carried out under the legislation of the Russian Federation.
- Suppose the data is stored outside the PD information systems. In that case, it is necessary to register the facts of unauthorized re- and additional information recording after their extraction from the information system.
Many more requirements are complex for companies to implement on their own. However, you can use the services of providers offering a secure cloud that complies with FZ-152.
Also Read: All About Data Engineers And Tools They Use