Natural Security Alliance issues privacy rules for biometric security
31 October 2014 10:24 GMT

Natural Security Alliance CEO Cédric Hozanne says his alliance wants to promote a new user experience for transactions

The Natural Security Alliance, a France-based international open source biometric standards-setting body, has released a set of privacy rules that advise how to best comply with data protection law when implementing biometrics.

The NSA first notes the accountability principle as defined by: "Article 22 Proposal for a Regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data".

In its rules, the NSA advises the obligations of the data controller to: "adopt effective and appropriate measure to ensure the compliance of the treatment with data protection law", adding that the controller shall be able to prove that measures have been taken and implemented

The rules points to the NSA’s Natural Security Standard which complies with the “Privacy by Design principle” - this means that privacy issues have been taken into consideration from the design stage before the implementation of technical measures, to mitigate risk.

“As has been observed by the Working Party 29, technical measures are not sufficient and must be completed with organizational measures, “ writes the NSA.

Legality and legitimacy are two crucial requirements the treatment shall meet, writes the NSA in the code of conduct. The controller must obtain the consent of the data subject.

“To ensure the biometric authentication is not executed unwittingly, [these] Privacy Rules highlight the active role of the user. … The controller commits that the authentication results from a voluntary gesture of the user who places either his/her finger or his/her hand on the reader. … Natural Security technology shall not be used to track the user without his/her prior consent.”

The NSA rules state that the controller agrees at the enrolment to convert raw data into templates, and to only store and process them.

“At the enrolment biometric data should not be stored within the enrolment station but only transmitted to the personal device. Furthermore, the controller commits not to constitute a database with the biometric data”.

In addition, in the personal device the storage takes place in a secure environment in order to protect data from intrusion, destruction, accidental loss, unwilling disclosure, and unauthorized access.

Planet Biometrics discussed the NSA’s mission in detail in an interview earlier this month. 

Related articles

INTERVIEW: Natural Security Alliance CEO Cédric Hozanne on mobile payments
New Alliance to promote wireless biometric transactions