Access to Restricted Areas in Certain Companies: For a Proportionate Use of Fingerprints - Decision of November 23, 2005 
[doc. web n. 1671299]
Access to Restricted Areas in Certain Companies: For a Proportionate Use of Fingerprints - Decision of November 23, 2005
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having considered the request for prior checking submitted by Galileo Avionica S.p.A. pursuant to Section 17 of the personal data protection Code (legislative decree no. 196/2003 of June 30, 2003) in respect of the processing of biometric personal data to control access by some employees to restricted-access areas;
Having regard to the information gathered following the enquiries that were carried out pursuant to Section 154(1), letter a), of the Code;
Having regard to the considerations made by the Secretary General pursuant to Section 15 of the Garante´s Rules of Procedure no. 1/2000;
Acting on the report submitted by Mr. Mauro Paissan;
1. Processing of Employees´ Biometric Data with a View to Accessing Certain Areas in a Company
Galileo Avionica S.p.A., a supplier of defence technologies in the avionics and electronics sectors as well as the Italian affiliate of SELEX Sensors and Airborne Systems S.p.A., submitted a request for prior checking to the Garante in pursuance of Section 17 of the Code; the request concerned the processing of biometric data relating to a small number of employees, i.e. not in excess of 15, with a view to controlling their accesses to a restricted corporate area with a surface of about 30 m2.
This measure was alleged by the company to afford a high certainty level in identifying access-enabled staff as well as being compliant with the “security and confidentiality requirements of a NATO environment” (see the letter by Galileo Avionica S.p.A. of September 30, 2005), which are allegedly to be abided by in order to implement a specific avionics programme. In this regard, the company stated that the number of involved staff would not change as the staff in question must be awarded a security pass (Nos) by the National Security Authority (NSA) to process top-secret information.
In particular, the system to be deployed is based on the collection of biometric data by means of devices equipped with fingerprint readers and ad-hoc software; the data would be translated into a digital code (template), which would only be used to collect and subsequently process the data for the said purposes (see the letter by Galileo Avionica S.p.A. of September 30, 2005).
2. Biometric Data and Personal Data Protection Legislation: Lawfulness, Purpose Specification, and Relevance of the Processing
The case submitted to the Garante´s prior checking entails the processing of personal data.
Both fingerprints and the data derived therefrom and used subsequently for verification and comparison purposes in authentication and/or identification procedures are personal information that can be related to the individual data subjects (Section 4(1), letter b), of the Code), therefore they fall within the scope of application of the provisions contained in the Code (see Garante´s decisions of November 19, 1999 and July 21, 2005, both available on the Garante´s website; see also the Working
Document on Biometrics by the Article 29 Working Party – WP80, point 3.1).
In principle, the blanket, unrestricted use of biometric data concerning employees is unlawful, especially in the case of fingerprints as their peculiarities make it necessary to prevent any inappropriate and/or unauthorised use.
However, the information gathered in the case at issue is such as to allow concluding that the processing submitted to prior checking is lawful; this conclusion is grounded on the consideration of the specific purposes sought in the relevant context as well as of some precautions the company is planning to take in addition to those set forth herein in respect of the concrete mechanisms applying to biometric identification.
In the case at issue, the purpose sought by the company acting as the data controller – i.e., unambiguously identifying the individuals authorised to access a restricted-access area and those that have accessed such area – is lawful in the light of the peculiar circumstances described in the case file.
The said circumstances point to the objective need for establishing, in an especially stringent manner, both whether the authorised employees are entitled to access the said area and the identity of the individual employees concerned (see, in this connection, the Garante´s decision of July 21, 2005 referred to above). Indeed, the activities the aforementioned identification measures are related to require specific, stringent security standards as well as a high degree of certainty with regard to identification of the individuals involved, given that defence-relevant industrial projects are at stake.
The system is intended for being deployed exclusively in connection with the access to a restricted area with specific boundaries, which is used for implementing a specific avionics project of national and international importance in the defence sector.
Only such data as are relevant and not excessive in relation to the purpose sought are processed; the data relate to a small number of employees concerned, rather than to all the employees, as selected among those in the possession of a “security pass” who discharge tasks requiring top-secret information to be processed.
Additionally, the system has been designed in order to store up to 900 inbound and outbound transactions; after exceeding this threshold, the oldest data are automatically deleted.
Therefore, the processing of biometric data for the aforementioned purposes has been configured in a manner that is proportionate to the data subjects´ individual rights, in the light of the purposes that are sought in concrete as well as of the processing mechanisms that will be implemented.
To that end, the mechanism the company will have to deploy should be based on an effective verification and identification system reading the encrypted fingerprints from a device in the employee´s possession (such as a smart card or a similar device), without setting up a centralised database containing fingerprints and/or templates.
However, another related device should allow the company to record, among the said 900 inbound and outbound transactions in the information system, additional personal data that can unambiguously identify an employee, where such data are considered to be necessary in order to also temporarily record the identity of any employee that accessed the restricted area, from time to time, rather than simply the circumstance that an authorised member of the staff accessed the said area without specifically identifying him or her in connection with each individual access.
Instructions will have to be issued concerning loss and/or theft of the devices in the employees´ possession - as also related to the need to timely notify the company thereof - , the utilization process of authentication devices, and the internal procedures implemented to check the system and upgrade, if necessary, the said devices.
3. Data Quality and Security Measures Related to Processing of Biometric Data
The system being submitted to prior checking would appear to feature adequate reliability and security, further to the control tests carried out by the manufacturer.
As for the latter issue, the measures adopted to safeguard the data transmitted by the individual readers to the centralised data acquisition system – which is kept separate from corporate information systems – can be considered to be adequate. The data contained in the ad-hoc database are encrypted and password-protected to prevent unauthorised entities from accessing and processing them.
In pursuance of the obligation to take all the security measures set out by the Code, including minimum security measures (as per Section 31 and following ones plus Annex B to the Code), the company is further obliged to obtain, from the system installer, the certification referred to in Rule 25 of the Technical Specifications
Concerning Minimum Security Measures (Annex B to the Code) as well as such other appropriate certification as relates to the devices in question, and to retain such certification(s) at its own premises.
Concerning, in particular, access to the data by the company´s network manager, the need to appoint the latter in writing as person in charge of the relevant processing operations, or else as data processor in respect of the said operations, and to issue appropriate instructions he/she will have to abide by is hereby also left unprejudiced.
4. Storage of the Data
The data will have to be retained for no longer than is necessary in order to achieve the purposes for which they were collected and processed (Section 11(1), letter e), of the Code).
This entails the obligation for the company to delete the processed data upon completion of the programme, which actually the company has already undertaken to do pursuant to the statements included in the case file – whereby the data would be retained for as long as necessary to carry out the processing and researches related to the programme, and would be deleted thereafter.
5. Information Notice to Data Subjects and Notification of Processing
The company stated that the employees concerned by the deployment of the system in question would be provided with a suitable information notice in writing, and those refusing and/or unable to avail themselves of the system – maybe on account of their physical features – would be prohibited from accessing the restricted area or else would only be allowed to access it if accompanied by other staff duly authorised thereto via the aforementioned biometrics-based system.
The information to be provided by the company in respect of the processing all the employees concerned are to be subjected to must include all the items referred to in Section 13 of the Code.
Finally, the company is required to notify the Garante of the processing of biometric data before such processing is started (Section 37(1), letter a), of the Code).
BASED ON THE ABOVE PREMISES, THE GARANTE
Orders the data controller to take the measures and precautions referred to hereinabove in order to safeguard data subjects, pursuant to Sections 17 and 154(1), letter c), of the Code, with a view to bringing the processing operations into line with the provisions in force. As regards, in particular, the items referred to under 2), the Garante orders
- That a verification system be designed as based on comparison between the fingerprints that are taken each time the restricted area is accessed and the template that is stored and encrypted on a medium remaining in the sole possession of the employees concerned, without setting up a centralised database of fingerprints and/or templates for that purpose;
- That the data controller should deploy a device allowing the company to record, in the information system dedicated to logging of the accesses to the restricted area, the personal data (whether coded or not) that are necessary to unambiguously identify the employees accessing the said area.
Done in Rome, this 23rd day of November 2005
THE SECRETARY GENERAL