In the light of the imminent entry into force of the law on biometric identification of bank customers, I would like to go back a little and remember what the biometric personal data actually is. What about this tells us Roskomnadzor and how we should be if we have to work with them.
"Information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established (biometric personal data) and which are used by the operator to identify the identity of the subject of personal data, can be processed only with the written consent of the subject of personal data, except provided for by part 2 of this article. ”For children, Roskomnadzor has a simplified explanation:
Biometric personal data is information about our biological features. This data is unique, belongs to only one person and never repeats.
Biometric data is embedded in us from birth by nature itself, they are not appropriated by anyone, it is simply coded information about a person that people have learned to read. These data include:
fingerprint, iris pattern, DNA code, voice cast, etc.
In accordance with the order of the Federal Agency for Technical Regulation and Metrology dated March 6, 2017 No. 448, the activities of the Technical Committee for Standardization TC 098 “Biometrics and Biomonitoring” were organized.
According to Appendix N 3 to the order of the Federal Agency for Technical Regulation and Metrology of March 6, 2017 N 448 (Regulation on the Technical Committee on Standardization "Biometrics and Biomonitoring"), the TC is designed to solve the following tasks:
No | Designation of national standard | Name of national standard |
one. | GOST ISO / IEC 2382-37-2016 * | Information Technology. Vocabulary. Part 37. Biometrics (adopted by IGU Protocol No. 93-P dated November 22, 2016) |
2 | GOST ISO / IEC 19794-1-2015 * | Information Technology. Biometrics. Formats for the exchange of biometric data. Part 1. Structure |
3 | GOST R ISO / IEC 19794-2-2013 | Information Technology. Biometrics. Formats for the exchange of biometric data. Part 2. Fingerprint Image Data - Control Points |
four. | GOST R ISO / IEC 19794-3-2009 | Automatic identification. Biometric identification. Formats for the exchange of biometric data. Part 3. Fingerprint image spectral data |
five. | GOST R ISO / IEC 19794-4-2014 | Information Technology. Biometrics. Formats for the exchange of biometric data. Part 4. Fingerprint image data |
6 | GOST R ISO / IEC 19794-5-2013 | Information Technology. Biometrics. Formats for the exchange of biometric data. Part 5. Face image data |
7 | GOST R ISO / IEC 19794-6-2014 | Information Technology. Biometrics. Formats for the exchange of biometric data. Part 6. Image data of the iris |
eight. | GOST R ISO / IEC 19794-7-2009 | Automatic identification. Biometric identification. Formats for the exchange of biometric data. Part 7. Signature Dynamics Data |
9. | GOST R ISO / IEC 19794-8-2015 | Information Technology. Biometrics. Formats for the exchange of biometric data. Part 8. Fingerprint image data - frame |
ten. | GOST R ISO / IEC 19794-9-2015 | Information Technology. Biometrics. Formats for the exchange of biometric data. Part 9. Image data of the vascular bed |
eleven. | GOST R ISO / IEC 19794-10-2010 | Automatic identification. Biometric identification. Formats for the exchange of biometric data. Part 10. Data geometry of the contour of the hand |
12. | GOST R ISO / IEC 19794-11-2015 | Information Technology. Biometrics. Formats for the exchange of biometric data. Part 11. The processed data dynamics of the signature |
13. | GOST R ISO / IEC 19794-14-2017 | Information Technology. Biometrics. Formats for the exchange of biometric data. Part 14. DNA data |
14. | GOST R ISO / IEC 19795-1-2007 | Automatic identification. Biometric identification. Performance tests and biometrics test reports. Part 1. Principles and structure |
15. | GOST R ISO / IEC 19795-2-2008 | Automatic identification. Biometric identification. Performance tests and biometrics test reports. Part 2. Technological and scenario testing methods |
sixteen. | GOST R ISO / IEC THAT 19795-3-2009 | Automatic identification. Biometric identification. Performance tests and biometrics test reports. Part 3. Features of testing with different biometric modalities |
17 | GOST R ISO / IEC 19795-4-2011 | Information Technology. Biometrics. Performance tests and biometrics test reports. Part 4. Compatibility Tests |
18. | GOST R ISO / IEC 19795-6-2015 | Information Technology. Biometrics. Performance tests and biometrics test reports. Part 6. Operational test methodology |
nineteen. | GOST R ISO / IEC 19784-1-2007 | Automatic identification. Biometric identification. Biometric software interface. Part 1. Specification of biometric software interface |
20. | GOST R ISO / IEC 19784-2-2010 | Automatic identification. Biometric identification. Biometric software interface. Part 2. The supplier interface of the biometric function of the archive |
21. | GOST R ISO / IEC 19784-4-2014 | Information Technology. Biometrics. Biometric software interface. Part 4. Biometric Sensor Feature Provider Interface |
22 | GOST R ISO / IEC 19785-1-2008 | Automatic identification. Biometric identification. Unified structure of the exchange of biometric data. Part 1. Data Item Specification |
23. | GOST R ISO / IEC 19785-2-2008 | Automatic identification. Biometric identification. Unified structure of the exchange of biometric data. Part 2. Procedures for actions of the registration authority in the field of biometrics |
24 | GOST R ISO / IEC 19785-4-2012 | Information Technology. Biometrics. Unified structure of the exchange of biometric data. Part 4. Specification of the format of the information security block |
25 | GOST R ISO / IEC 24708-2013 | Information Technology. Biometrics. Internetworking protocol BioAPI |
26 | GOST R ISO / IEC 24709-1-2009 | Automatic identification. Biometric identification. Tests for compliance with the biometric software interface (BioAPI). Part 1. Methods and procedures |
27. | GOST R ISO / IEC 24709-2-2011 | Information Technology. Biometrics. Tests for compliance with the biometric software interface (BioAPI). Part 2. Test claims for biometric service providers |
28 | GOST R ISO / IEC 24709-3-2013 | Information Technology. Biometrics. Tests for compliance with the biometric software interface (BioAPI). Part 3. Test assertions for BioAPI infrastructures |
29. | GOST ISO / IEC 24713-1-2013 * | Information Technology. Biometric profiles for interaction and data exchange. Part 1. The overall architecture of the biometric system and biometric profiles |
thirty. | GOST R ISO / IEC 24713-2-2011 | Information Technology. Biometrics. Biometric profiles for interaction and data exchange. Part 2. Physical control of access for airport employees |
31. | GOST R ISO / IEC 24713-3-2016 | Information Technology. Biometrics. Biometric profiles for interaction and data exchange. Part 3. Biometric verification and identification of seafarers |
32. | GOST R ISO / IEC 29109-1-2012 | Information Technology. Biometrics. Test methodology for compliance with the biometric data exchange formats defined in the ISO / IEC 19794. Part 1. Generalized test methodology for compliance |
33. | GOST R ISO / IEC 29109-4-2015 | Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794 standard set. Part 4. Fingerprint image data |
34 | GOST R ISO / IEC 29109-5-2013 | Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794. Standards complex. Part 5. Face image data |
35 | GOST R ISO / IEC 29109-6-2016 | Information Technology. Biometrics. Test methodology for compliance with the biometric data exchange formats defined in the ISO / IEC 19794. Part 6. The iris image data |
36 | GOST R ISO / IEC 29109-7-2016 | Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794. Standard Package. Part 7. Signature Dynamics Data |
37. | GOST R ISO / IEC 29109-8-2016 | Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794 standard set. Part 8. Fingerprint image data - skeleton |
38 | GOST R ISO / IEC 29109-9-2017 | Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794 standard set. Part 9. Image data of the vascular bed |
39 | GOST R ISO / IEC 29109-10-2017 | Information Technology. Biometrics. Test methodology for compliance with the biometric data exchange formats defined in the ISO / IEC 19794. Part 10. Hand-held contour geometry data |
40 | GOST R ISO / IEC 29794-1-2012 | Information Technology. Biometrics. The quality of biometric samples. Part 1. Structure |
41 | GOST R ISO / IEC 29141-2012 | Information Technology. Biometrics. Simultaneous image acquisition of ten fingerprints using BioAPI |
42 | GOST R 54412-2011 / ISO / IEC TR 24741: 2007 | Information Technology. Biometrics. Biometrics Training Program |
As you can see, the list is quite extensive, but that's not all. In addition to directly biometric technologies, biometrics and standards for machine-readable passport and visa documents, as well as identification cards with biometric data, also apply. We will not cite them in the framework of this article, if you wish to familiarize yourself with them, all of this can be found on TC 098 website.
The published Roskomnadzor explanations, which just raised “… the issues of attributing photo and video images, fingerprint data and other information to biometric personal data and features of their processing.”, Were ignored by many in vain. Until now, there are many questions, the answers to which could be found in the explanations, without burrowing into GOST. Therefore, I suggest once again to go through the main theses, and for someone to get acquainted with them for the first time.
Based on the definition given above, in the context of the Federal Law “On Personal Data”, the assignment of personal data to biometric personal data and their subsequent processing should be considered as part of the operator’s activities aimed at identifying a particular person, unless otherwise provided by federal laws and normative legal acts adopted on their basis.
That is, if a user, for example, puts his photo on any avatar, then we do not consider this to be biometric data, because by avatar, we do not identify the user. However, there are cases when a photograph is directly attributed to biometric personal data.
“According to clause 6 of the List of personal data recorded on electronic media, contained in the main identity documents of a citizen of the Russian Federation, according to which citizens of the Russian Federation depart from the Russian Federation and enter the Russian Federation, approved by a decree of the Government of the Russian Federation on March 4, 2010 “No. 125, a color digital photographic image of the face of the holder of the document is the biometric personal data of the holder of the document.”
In cases when a passport is scanned by an operator to confirm the implementation of certain actions by a specific person, for example, concluding an agreement on the provision of services, including banking, medical, etc.) without carrying out identification procedures (identification), these actions cannot be considered processing of biometric personal data and art. 11 of the Federal Law “On Personal Data” is not regulated. Accordingly, the processing of information in these cases is carried out in accordance with the general requirements established by the Federal Law “On Personal Data”.
X-ray or fluorographic images characterizing the physiological and biological characteristics of a person and are in the patient’s medical history (medical record) of the patient (not paper or electronic) are not biometric personal data, since they are not used by the operator (medical institution) to identify the patient . But if they are transmitted at the request of the subjects of the operational-search activity, the investigation and inquiry bodies within the framework of their activities, this information becomes biometric personal data, as they are used by operators - investigation and inquiry bodies in order to establish the identity of a specific person. Those. Medical information is transmitted to the investigating authorities, and there they are already becoming biometric personal data.
A similar approach should be followed when obtaining other information that can be attributed to biometric personal data. Thus, if we use the obtained information describing the physiological and biological characteristics of a person to establish identity, then we have biometrics, if not - otherwise.
The main thing is that in the case of processing biometric personal data, it is necessary to remember
“In accordance with Part 1 of Art. 11 of the Federal Law “On Personal Data” processing of biometric personal data can be carried out only with the consent in writing of the subject of personal data. "
Source: https://habr.com/ru/post/413899/