Biometric personal data of Russians



In the light of the imminent entry into force of the law on biometric identification of bank customers, I would like to go back a little and remember what the biometric personal data actually is. What about this tells us Roskomnadzor and how we should be if we have to work with them.


According to the Federal Law of 27.07.2006 N 152- “On Personal Data”, art. eleven:
"Information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established (biometric personal data) and which are used by the operator to identify the identity of the subject of personal data, can be processed only with the written consent of the subject of personal data, except provided for by part 2 of this article. ”
For children, Roskomnadzor has a simplified explanation:
Biometric personal data is information about our biological features. This data is unique, belongs to only one person and never repeats.

Biometric data is embedded in us from birth by nature itself, they are not appropriated by anyone, it is simply coded information about a person that people have learned to read. These data include:

fingerprint, iris pattern, DNA code, voice cast, etc.

About standards


In accordance with the order of the Federal Agency for Technical Regulation and Metrology dated March 6, 2017 No. 448, the activities of the Technical Committee for Standardization TC 098 “Biometrics and Biomonitoring” were organized.


According to Appendix N 3 to the order of the Federal Agency for Technical Regulation and Metrology of March 6, 2017 N 448 (Regulation on the Technical Committee on Standardization "Biometrics and Biomonitoring"), the TC is designed to solve the following tasks:



This TC, as of October 31, 2017, reflects the list of existing national standards in the field of biometric technologies. This list is summarized in the table below.

No


Designation of national standard

Name of national standard


one.


GOST ISO / IEC 2382-37-2016 *


Information Technology. Vocabulary. Part 37. Biometrics (adopted by IGU Protocol No. 93-P dated November 22, 2016)


2


GOST ISO / IEC 19794-1-2015 *


Information Technology. Biometrics. Formats for the exchange of biometric data. Part 1. Structure


3


GOST R ISO / IEC 19794-2-2013


Information Technology. Biometrics. Formats for the exchange of biometric data. Part 2. Fingerprint Image Data - Control Points


four.


GOST R ISO / IEC 19794-3-2009


Automatic identification. Biometric identification. Formats for the exchange of biometric data. Part 3. Fingerprint image spectral data


five.


GOST R ISO / IEC 19794-4-2014


Information Technology. Biometrics. Formats for the exchange of biometric data. Part 4. Fingerprint image data


6


GOST R ISO / IEC 19794-5-2013


Information Technology. Biometrics. Formats for the exchange of biometric data. Part 5. Face image data


7


GOST R ISO / IEC 19794-6-2014


Information Technology. Biometrics. Formats for the exchange of biometric data. Part 6. Image data of the iris


eight.


GOST R ISO / IEC 19794-7-2009


Automatic identification. Biometric identification. Formats for the exchange of biometric data. Part 7. Signature Dynamics Data


9.


GOST R ISO / IEC 19794-8-2015


Information Technology. Biometrics. Formats for the exchange of biometric data. Part 8. Fingerprint image data - frame


ten.


GOST R ISO / IEC 19794-9-2015


Information Technology. Biometrics. Formats for the exchange of biometric data. Part 9. Image data of the vascular bed


eleven.


GOST R ISO / IEC 19794-10-2010


Automatic identification. Biometric identification. Formats for the exchange of biometric data. Part 10. Data geometry of the contour of the hand


12.


GOST R ISO / IEC 19794-11-2015


Information Technology. Biometrics. Formats for the exchange of biometric data. Part 11. The processed data dynamics of the signature


13.


GOST R ISO / IEC 19794-14-2017


Information Technology. Biometrics. Formats for the exchange of biometric data. Part 14. DNA data


14.


GOST R ISO / IEC 19795-1-2007


Automatic identification. Biometric identification. Performance tests and biometrics test reports. Part 1. Principles and structure


15.


GOST R ISO / IEC 19795-2-2008


Automatic identification. Biometric identification. Performance tests and biometrics test reports.


Part 2. Technological and scenario testing methods


sixteen.


GOST R ISO / IEC


THAT 19795-3-2009


Automatic identification. Biometric identification. Performance tests and biometrics test reports. Part 3. Features of testing with different biometric modalities


17


GOST R ISO / IEC 19795-4-2011


Information Technology. Biometrics. Performance tests and biometrics test reports. Part 4. Compatibility Tests


18.


GOST R ISO / IEC 19795-6-2015


Information Technology. Biometrics. Performance tests and biometrics test reports. Part 6. Operational test methodology


nineteen.


GOST R ISO / IEC 19784-1-2007


Automatic identification. Biometric identification. Biometric software interface. Part 1. Specification of biometric software interface


20.


GOST R ISO / IEC 19784-2-2010


Automatic identification. Biometric identification. Biometric software interface. Part 2. The supplier interface of the biometric function of the archive


21.


GOST R ISO / IEC 19784-4-2014


Information Technology. Biometrics. Biometric software interface. Part 4. Biometric Sensor Feature Provider Interface


22


GOST R ISO / IEC 19785-1-2008


Automatic identification. Biometric identification. Unified structure of the exchange of biometric data. Part


1. Data Item Specification


23.


GOST R ISO / IEC 19785-2-2008


Automatic identification. Biometric identification. Unified structure of the exchange of biometric data. Part 2. Procedures for actions of the registration authority in the field of biometrics


24


GOST R ISO / IEC 19785-4-2012


Information Technology. Biometrics. Unified structure of the exchange of biometric data. Part 4. Specification of the format of the information security block


25


GOST R ISO / IEC 24708-2013


Information Technology. Biometrics. Internetworking protocol BioAPI


26


GOST R ISO / IEC 24709-1-2009


Automatic identification. Biometric identification. Tests for compliance with the biometric software interface (BioAPI). Part 1. Methods and procedures


27.


GOST R ISO / IEC 24709-2-2011


Information Technology. Biometrics. Tests for compliance with the biometric software interface (BioAPI). Part 2. Test claims for biometric service providers


28


GOST R ISO / IEC 24709-3-2013


Information Technology. Biometrics. Tests for compliance with the biometric software interface (BioAPI). Part 3. Test assertions for BioAPI infrastructures


29.


GOST ISO / IEC 24713-1-2013 *


Information Technology. Biometric profiles for interaction and data exchange. Part 1. The overall architecture of the biometric system and biometric profiles


thirty.


GOST R ISO / IEC 24713-2-2011


Information Technology. Biometrics. Biometric profiles for interaction and data exchange. Part 2. Physical control of access for airport employees


31.


GOST R ISO / IEC 24713-3-2016


Information Technology. Biometrics. Biometric profiles for interaction and data exchange. Part 3. Biometric verification and identification of seafarers


32.


GOST R ISO / IEC 29109-1-2012


Information Technology. Biometrics. Test methodology for compliance with the biometric data exchange formats defined in the ISO / IEC 19794. Part 1. Generalized test methodology for compliance


33.


GOST R ISO / IEC 29109-4-2015


Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794 standard set. Part 4. Fingerprint image data


34


GOST R ISO / IEC 29109-5-2013


Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794. Standards complex. Part 5. Face image data


35


GOST R ISO / IEC 29109-6-2016


Information Technology. Biometrics. Test methodology for compliance with the biometric data exchange formats defined in the ISO / IEC 19794. Part 6. The iris image data


36


GOST R ISO / IEC 29109-7-2016


Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794. Standard Package. Part 7. Signature Dynamics Data


37.


GOST R ISO / IEC 29109-8-2016


Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794 standard set. Part 8. Fingerprint image data - skeleton


38


GOST R ISO / IEC 29109-9-2017


Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794 standard set. Part 9. Image data of the vascular bed


39


GOST R ISO / IEC 29109-10-2017


Information Technology. Biometrics. Test methodology for compliance with the biometric data exchange formats defined in the ISO / IEC 19794. Part 10. Hand-held contour geometry data


40


GOST R ISO / IEC 29794-1-2012


Information Technology. Biometrics. The quality of biometric samples. Part 1. Structure


41


GOST R ISO / IEC 29141-2012


Information Technology. Biometrics. Simultaneous image acquisition of ten fingerprints using BioAPI


42


GOST R 54412-2011 / ISO / IEC TR 24741: 2007


Information Technology. Biometrics. Biometrics Training Program


As you can see, the list is quite extensive, but that's not all. In addition to directly biometric technologies, biometrics and standards for machine-readable passport and visa documents, as well as identification cards with biometric data, also apply. We will not cite them in the framework of this article, if you wish to familiarize yourself with them, all of this can be found on TC 098 website.


About clarifications of Roskomnadzor


The published Roskomnadzor explanations, which just raised “… the issues of attributing photo and video images, fingerprint data and other information to biometric personal data and features of their processing.”, Were ignored by many in vain. Until now, there are many questions, the answers to which could be found in the explanations, without burrowing into GOST. Therefore, I suggest once again to go through the main theses, and for someone to get acquainted with them for the first time.


Based on the definition given above, in the context of the Federal Law “On Personal Data”, the assignment of personal data to biometric personal data and their subsequent processing should be considered as part of the operator’s activities aimed at identifying a particular person, unless otherwise provided by federal laws and normative legal acts adopted on their basis.


That is, if a user, for example, puts his photo on any avatar, then we do not consider this to be biometric data, because by avatar, we do not identify the user. However, there are cases when a photograph is directly attributed to biometric personal data.

“According to clause 6 of the List of personal data recorded on electronic media, contained in the main identity documents of a citizen of the Russian Federation, according to which citizens of the Russian Federation depart from the Russian Federation and enter the Russian Federation, approved by a decree of the Government of the Russian Federation on March 4, 2010 “No. 125, a color digital photographic image of the face of the holder of the document is the biometric personal data of the holder of the document.”

In cases when a passport is scanned by an operator to confirm the implementation of certain actions by a specific person, for example, concluding an agreement on the provision of services, including banking, medical, etc.) without carrying out identification procedures (identification), these actions cannot be considered processing of biometric personal data and art. 11 of the Federal Law “On Personal Data” is not regulated. Accordingly, the processing of information in these cases is carried out in accordance with the general requirements established by the Federal Law “On Personal Data”.


X-ray or fluorographic images characterizing the physiological and biological characteristics of a person and are in the patient’s medical history (medical record) of the patient (not paper or electronic) are not biometric personal data, since they are not used by the operator (medical institution) to identify the patient . But if they are transmitted at the request of the subjects of the operational-search activity, the investigation and inquiry bodies within the framework of their activities, this information becomes biometric personal data, as they are used by operators - investigation and inquiry bodies in order to establish the identity of a specific person. Those. Medical information is transmitted to the investigating authorities, and there they are already becoming biometric personal data.


A similar approach should be followed when obtaining other information that can be attributed to biometric personal data. Thus, if we use the obtained information describing the physiological and biological characteristics of a person to establish identity, then we have biometrics, if not - otherwise.


The main thing is that in the case of processing biometric personal data, it is necessary to remember

“In accordance with Part 1 of Art. 11 of the Federal Law “On Personal Data” processing of biometric personal data can be carried out only with the consent in writing of the subject of personal data. "

PS By the link you can download our White Paper on the Federal Law No. 152 .
This is a book that was published to help eliminate confusion in the processing of personal data and clearly describe the process of bringing personal data to IP in accordance with the laws of Russia. The topic is revealed from scratch. It helps to meet the needs of a wide range of readers.

Source: https://habr.com/ru/post/413899/


All Articles