If an individual's biometric information is compromised or stolen, that individual could no longer use those biometrics to prove his or her identity. Therefore, unless stringent security measures are put in place, the digital storage of biometric data could present a real security risk for facilitating identity theft.
The use of biometric systems must comply with the European Convention on Human Rights and the Data Protection Directive. The relevant legislation in the UK is the Human Rights Act and the Data Protection Act (DPA). Under the Human Rights Act each of us is entitled to respect in our private life, including our life at the workplace.
Under the DPA personal data is required to be processed fairly and for specific limited purposes. Two key principles come into play. First, the principle of proportionality, which means the interference with the private life of the individual must be justifiable by the benefits. Second, the principle of transparency - which means it must be clear how and why information is being used and it must not be used beyond this without prior agreement.
It is possible to deploy biometrics in ways that do not breach the DPA by - for example, justifying the processing on one of the grounds set out in the DPA. Organisations setting up biometric systems will need to be clear about the purpose of the system or scheme and consider carefully how data is collected, stored and accessed. Use of the biometric information will need to be proportionate to the benefits of the scheme