Policy on the Processing of Biometric Data by the ICRC

This document outlines the International Committee of the Red Cross’s (ICRC) policy on processing biometric data, ensuring adherence to ‘do no harm’ principles and data protection rules. It defines the scope, responsibilities, and guidelines for ethically managing biometric information. This policy provides practical guidance for ICRC staff, partners, and stakeholders involved in humanitarian operations.

Key Insights

Purpose and Scope

The policy’s purpose is to ensure that the processing of biometric data by the ICRC takes place in accordance with the principle of “do no harm”, the humanitarian imperative, the ICRC protection mandate, and the ICRC Rules on Personal Data Protection. It applies to all biometric data processed by ICRC staff and programs and extends to data processed by National Society staff and partners authorized by the ICRC.

Key Definitions

The policy defines key terms, including “Anonymization”, “Biometric data” (personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person), “Data Breach”, “Data Controller”, “Data Protection Impact Assessment”, and “Data Subject”.

Roles and Responsibilities

The ICRC acts as the Data Controller. The ICRC Directorate approves new cases and policy changes. Department Directors ensure compliance. The Data Protection Office (DPO) oversees the policy’s implementation. ICT Security staff ensure biometric IT solutions adhere to security standards. The Head of Delegation bears overall responsibility for biometric data processing in the field.

Legitimate Basis for Processing

The legitimate basis for processing biometric data includes “important grounds of public interest” (for humanitarian services) and the “legitimate interest of the ICRC” (to protect confidential information and provide token-based verification).

Specified Purposes for Processing

Approved use cases include inclusion of fingerprints on travel documents, restricting access to secure ICRC premises, identifying human remains, tracing separated persons, and providing token-based verification credentials.

Data Protection Impact Assessment (DPIA)

A DPIA is required for new projects involving biometric data. The assessment must evaluate the risk of access requests from authorities and be regularly reviewed. Consultation with the Data Protection Office is required for new processing techniques or use cases.

Data Protection by Design and Default

New systems must be developed according to data protection by design and default. Legacy systems should be reviewed and enhanced.

Security Features

Required security features include encryption, prevention of unauthorized disclosure, segregation of database instances, and audit trails.

Transparency

The ICRC must render the processing of biometric data transparent to Data Subjects through the systematic provision of programme-specific information clarifying how and why such data will be utilized.

Rights of the Data Subject

Data Subjects have the right to request access to, rectify, and request deletion of their Personal Data.

Third Parties and Data Transfers

The ICRC has provisions for working with external partners. In cases where the ICRC enlists the support of a partner to provide a specific humanitarian service, a data processing agreement setting out the basis, purpose of the processing and the restrictions to which it is subject is in place, and specific organizational and technical measures have been devised to minimise access to the biometric data and the period in which it is in their custody.

Data Retention and Deletion

Biometric data should be subject to a retention period explicitly linked to the specific purpose for which it was collected, but may be retained by the ICRC for only as long as it is needed for this specific purpose.

Data Breaches

In the event of a data breach, the ICRC must notify relevant parties, including the affected Delegations and the Data Protection Office.

Key Statistics & Data

• The policy requires review by the ICRC Directorate at least every three years.
• The implementation of high level data security features and technical and organisational measures that ensure the requirements of this policy are met by design and by default.

Methodology

This document is a policy developed by the ICRC. The ICRC Directorate reviews this document. The periodic review is facilitated by a yearly report by the DPO to the ICRC Assembly, providing an overview of the ICRC biometric data processing operations that involve an assessment as to their ongoing necessity and proportionality.

Implications and Conclusions

The policy aims to provide a clear framework for responsible biometric data processing, ensuring the protection of individuals’ rights while enabling the ICRC to achieve its humanitarian objectives. Key implications include enhanced accountability, improved data security, and greater transparency in biometric data handling. The document emphasizes the importance of ongoing review and adaptation to address emerging challenges and technological advancements in the field.