The GDPR came into effect on 25 May 2018, introducing new obligations around the processing of personal data and enhancing the rights for individuals, in order to protect their personal data. This essentially means that any data which identifies an individual or which can be combined with other data to identify an individual counts as personal data.
With face recognition technology (or FRT), the digital images, the fingerprint and any outputs (like reports and profiles), will all be personal data. As FRT collects information of a person’s facial features, it’s classed under biometric data, which is labeled as “sensitive personal data.” The verbatim definition of biometric data in GDPR is…
Biometric Data: means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Clearly, the GDPR breaks biometric information into two categories…
Physical Characteristics: facial features, fingerprints, iris characteristics, weight etc.
Behavioral Characteristics: Habits, actions, personality traits, quirks, addictions, etc.
Our Facial Recognition solution, FaceFirst, takes information security, protection, and privacy of customer personally identifiable information (PII) data very seriously and follows software industry best practices. FaceFirst fully supports and abides by the data privacy principles established by applicable local privacy laws and regulations.
The FaceFirst platform is designed with privacy and security in mind, ensuring that PII and biometric information is collected and stored, securely and with encryption. All the personal information stored in the FaceFirst system is protected, secured and isolated in multiple ways.
All enrollment images, biometric templates, and PII are stored in a single location on a FaceFirst server. We use either folder level (EFS) or volume level (BitLocker) encryption with at least AES 128-bit to encrypt and protect your data.
Access to all FaceFirst systems requires qualified credentials and rights. All access to the FaceFirst systems are done over secure networking (VPN/SSL/TLS). User passwords are stored using strong cryptographic algorithms with unique salts.
FaceFirst, the leading face recognition platform for retail and public safety, and in 2018 launched Mask-ID, a new privacy feature that helps individuals maintain anonymity within face recognition systems.
Mask-ID instantly blurs facial images without compromising match accuracy, helping individuals maintain anonymity within face recognition systems. This feature may be turned on by customer request.
All customer production databases that contain PII are considered sensitive. Access to sensitive data is restricted and protected using a broad set of security controls including, but not limited to, access control and encryption at rest.
FaceFirst uses whole disk encryption and BitLocker which are generally accepted and have an active development community with regular patching/upgrading. FaceFirst also uses the trusted platform module (TPM) for better encryption security.