Biometric personal data of Russians

In the light of the imminent entry into force of the law on biometric identification of bank customers, I would like to go back a little and remember what the biometric personal data actually is. What about this tells us Roskomnadzor and how we should be if we have to work with them.

According to the Federal Law of 27.07.2006 N 152- “On Personal Data”, art. eleven:

"Information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established (biometric personal data) and which are used by the operator to identify the identity of the subject of personal data, can be processed only with the written consent of the subject of personal data, except provided for by part 2 of this article. ”

For children, Roskomnadzor has a simplified explanation:

Biometric personal data is information about our biological features. This data is unique, belongs to only one person and never repeats.

Biometric data is embedded in us from birth by nature itself, they are not appropriated by anyone, it is simply coded information about a person that people have learned to read. These data include:

fingerprint, iris pattern, DNA code, voice cast, etc.

About standards

In accordance with the order of the Federal Agency for Technical Regulation and Metrology dated March 6, 2017 No. 448, the activities of the Technical Committee for Standardization TC 098 “Biometrics and Biomonitoring” were organized.

According to Appendix N 3 to the order of the Federal Agency for Technical Regulation and Metrology of March 6, 2017 N 448 (Regulation on the Technical Committee on Standardization "Biometrics and Biomonitoring"), the TC is designed to solve the following tasks:

• formation of the national standardization program according to the activity assigned to TC 098 and control over the implementation of this program;
• consideration of proposals for the application of international and regional standards at the national and interstate levels in the area of ​​activity assigned to TC 098;
• examination of draft national and interstate standards and draft amendments to existing standards, as well as their submission for approval (adoption) to Rosstandart;
• participation in the work of the interstate technical committee on standardization (ITC) and international technical committees (ISO / TC), which have a common area of ​​activity;
• Regular checking of national and interstate standards in force in the Russian Federation and assigned to TC 098 in order to identify the need to update or cancel them;
• assessment of the expediency of approving preliminary national standards assigned to TC 098 as national standards of the Russian Federation based on the results of monitoring their application;
• consideration of draft international standards in the area of ​​activity assigned to TC 098 and preparation of the position of the Russian Federation when voting on these projects;
• consideration of proposals for the development of international standards, including on the basis of national and interstate standards assigned to TC 098;
• examination of official translations into Russian of international and regional standards, national standards and sets of rules of foreign states in the area of ​​activity assigned to TC 098, etc.

This TC, as of October 31, 2017, reflects the list of existing national standards in the field of biometric technologies. This list is summarized in the table below.

No	Designation of national standard	Name of national standard
one.	GOST ISO / IEC 2382-37-2016 *	Information Technology. Vocabulary. Part 37. Biometrics (adopted by IGU Protocol No. 93-P dated November 22, 2016)
2	GOST ISO / IEC 19794-1-2015 *	Information Technology. Biometrics. Formats for the exchange of biometric data. Part 1. Structure
3	GOST R ISO / IEC 19794-2-2013	Information Technology. Biometrics. Formats for the exchange of biometric data. Part 2. Fingerprint Image Data - Control Points
four.	GOST R ISO / IEC 19794-3-2009	Automatic identification. Biometric identification. Formats for the exchange of biometric data. Part 3. Fingerprint image spectral data
five.	GOST R ISO / IEC 19794-4-2014	Information Technology. Biometrics. Formats for the exchange of biometric data. Part 4. Fingerprint image data
6	GOST R ISO / IEC 19794-5-2013	Information Technology. Biometrics. Formats for the exchange of biometric data. Part 5. Face image data
7	GOST R ISO / IEC 19794-6-2014	Information Technology. Biometrics. Formats for the exchange of biometric data. Part 6. Image data of the iris
eight.	GOST R ISO / IEC 19794-7-2009	Automatic identification. Biometric identification. Formats for the exchange of biometric data. Part 7. Signature Dynamics Data
9.	GOST R ISO / IEC 19794-8-2015	Information Technology. Biometrics. Formats for the exchange of biometric data. Part 8. Fingerprint image data - frame
ten.	GOST R ISO / IEC 19794-9-2015	Information Technology. Biometrics. Formats for the exchange of biometric data. Part 9. Image data of the vascular bed
eleven.	GOST R ISO / IEC 19794-10-2010	Automatic identification. Biometric identification. Formats for the exchange of biometric data. Part 10. Data geometry of the contour of the hand
12.	GOST R ISO / IEC 19794-11-2015	Information Technology. Biometrics. Formats for the exchange of biometric data. Part 11. The processed data dynamics of the signature
13.	GOST R ISO / IEC 19794-14-2017	Information Technology. Biometrics. Formats for the exchange of biometric data. Part 14. DNA data
14.	GOST R ISO / IEC 19795-1-2007	Automatic identification. Biometric identification. Performance tests and biometrics test reports. Part 1. Principles and structure
15.	GOST R ISO / IEC 19795-2-2008	Automatic identification. Biometric identification. Performance tests and biometrics test reports. Part 2. Technological and scenario testing methods
sixteen.	GOST R ISO / IEC THAT 19795-3-2009	Automatic identification. Biometric identification. Performance tests and biometrics test reports. Part 3. Features of testing with different biometric modalities
17	GOST R ISO / IEC 19795-4-2011	Information Technology. Biometrics. Performance tests and biometrics test reports. Part 4. Compatibility Tests
18.	GOST R ISO / IEC 19795-6-2015	Information Technology. Biometrics. Performance tests and biometrics test reports. Part 6. Operational test methodology
nineteen.	GOST R ISO / IEC 19784-1-2007	Automatic identification. Biometric identification. Biometric software interface. Part 1. Specification of biometric software interface
20.	GOST R ISO / IEC 19784-2-2010	Automatic identification. Biometric identification. Biometric software interface. Part 2. The supplier interface of the biometric function of the archive
21.	GOST R ISO / IEC 19784-4-2014	Information Technology. Biometrics. Biometric software interface. Part 4. Biometric Sensor Feature Provider Interface
22	GOST R ISO / IEC 19785-1-2008	Automatic identification. Biometric identification. Unified structure of the exchange of biometric data. Part 1. Data Item Specification
23.	GOST R ISO / IEC 19785-2-2008	Automatic identification. Biometric identification. Unified structure of the exchange of biometric data. Part 2. Procedures for actions of the registration authority in the field of biometrics
24	GOST R ISO / IEC 19785-4-2012	Information Technology. Biometrics. Unified structure of the exchange of biometric data. Part 4. Specification of the format of the information security block
25	GOST R ISO / IEC 24708-2013	Information Technology. Biometrics. Internetworking protocol BioAPI
26	GOST R ISO / IEC 24709-1-2009	Automatic identification. Biometric identification. Tests for compliance with the biometric software interface (BioAPI). Part 1. Methods and procedures
27.	GOST R ISO / IEC 24709-2-2011	Information Technology. Biometrics. Tests for compliance with the biometric software interface (BioAPI). Part 2. Test claims for biometric service providers
28	GOST R ISO / IEC 24709-3-2013	Information Technology. Biometrics. Tests for compliance with the biometric software interface (BioAPI). Part 3. Test assertions for BioAPI infrastructures
29.	GOST ISO / IEC 24713-1-2013 *	Information Technology. Biometric profiles for interaction and data exchange. Part 1. The overall architecture of the biometric system and biometric profiles
thirty.	GOST R ISO / IEC 24713-2-2011	Information Technology. Biometrics. Biometric profiles for interaction and data exchange. Part 2. Physical control of access for airport employees
31.	GOST R ISO / IEC 24713-3-2016	Information Technology. Biometrics. Biometric profiles for interaction and data exchange. Part 3. Biometric verification and identification of seafarers
32.	GOST R ISO / IEC 29109-1-2012	Information Technology. Biometrics. Test methodology for compliance with the biometric data exchange formats defined in the ISO / IEC 19794. Part 1. Generalized test methodology for compliance
33.	GOST R ISO / IEC 29109-4-2015	Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794 standard set. Part 4. Fingerprint image data
34	GOST R ISO / IEC 29109-5-2013	Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794. Standards complex. Part 5. Face image data
35	GOST R ISO / IEC 29109-6-2016	Information Technology. Biometrics. Test methodology for compliance with the biometric data exchange formats defined in the ISO / IEC 19794. Part 6. The iris image data
36	GOST R ISO / IEC 29109-7-2016	Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794. Standard Package. Part 7. Signature Dynamics Data
37.	GOST R ISO / IEC 29109-8-2016	Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794 standard set. Part 8. Fingerprint image data - skeleton
38	GOST R ISO / IEC 29109-9-2017	Information Technology. Biometrics. Methodology of tests for compliance with biometric data exchange formats defined in the ISO / IEC 19794 standard set. Part 9. Image data of the vascular bed
39	GOST R ISO / IEC 29109-10-2017	Information Technology. Biometrics. Test methodology for compliance with the biometric data exchange formats defined in the ISO / IEC 19794. Part 10. Hand-held contour geometry data
40	GOST R ISO / IEC 29794-1-2012	Information Technology. Biometrics. The quality of biometric samples. Part 1. Structure
41	GOST R ISO / IEC 29141-2012	Information Technology. Biometrics. Simultaneous image acquisition of ten fingerprints using BioAPI
42	GOST R 54412-2011 / ISO / IEC TR 24741: 2007	Information Technology. Biometrics. Biometrics Training Program

As you can see, the list is quite extensive, but that's not all. In addition to directly biometric technologies, biometrics and standards for machine-readable passport and visa documents, as well as identification cards with biometric data, also apply. We will not cite them in the framework of this article, if you wish to familiarize yourself with them, all of this can be found on TC 098 website.

About clarifications of Roskomnadzor

The published Roskomnadzor explanations, which just raised “… the issues of attributing photo and video images, fingerprint data and other information to biometric personal data and features of their processing.”, Were ignored by many in vain. Until now, there are many questions, the answers to which could be found in the explanations, without burrowing into GOST. Therefore, I suggest once again to go through the main theses, and for someone to get acquainted with them for the first time.

Based on the definition given above, in the context of the Federal Law “On Personal Data”, the assignment of personal data to biometric personal data and their subsequent processing should be considered as part of the operator’s activities aimed at identifying a particular person, unless otherwise provided by federal laws and normative legal acts adopted on their basis.

That is, if a user, for example, puts his photo on any avatar, then we do not consider this to be biometric data, because by avatar, we do not identify the user. However, there are cases when a photograph is directly attributed to biometric personal data.

“According to clause 6 of the List of personal data recorded on electronic media, contained in the main identity documents of a citizen of the Russian Federation, according to which citizens of the Russian Federation depart from the Russian Federation and enter the Russian Federation, approved by a decree of the Government of the Russian Federation on March 4, 2010 “No. 125, a color digital photographic image of the face of the holder of the document is the biometric personal data of the holder of the document.”

In cases when a passport is scanned by an operator to confirm the implementation of certain actions by a specific person, for example, concluding an agreement on the provision of services, including banking, medical, etc.) without carrying out identification procedures (identification), these actions cannot be considered processing of biometric personal data and art. 11 of the Federal Law “On Personal Data” is not regulated. Accordingly, the processing of information in these cases is carried out in accordance with the general requirements established by the Federal Law “On Personal Data”.

X-ray or fluorographic images characterizing the physiological and biological characteristics of a person and are in the patient’s medical history (medical record) of the patient (not paper or electronic) are not biometric personal data, since they are not used by the operator (medical institution) to identify the patient . But if they are transmitted at the request of the subjects of the operational-search activity, the investigation and inquiry bodies within the framework of their activities, this information becomes biometric personal data, as they are used by operators - investigation and inquiry bodies in order to establish the identity of a specific person. Those. Medical information is transmitted to the investigating authorities, and there they are already becoming biometric personal data.

A similar approach should be followed when obtaining other information that can be attributed to biometric personal data. Thus, if we use the obtained information describing the physiological and biological characteristics of a person to establish identity, then we have biometrics, if not - otherwise.

The main thing is that in the case of processing biometric personal data, it is necessary to remember

“In accordance with Part 1 of Art. 11 of the Federal Law “On Personal Data” processing of biometric personal data can be carried out only with the consent in writing of the subject of personal data. "

PS By the link you can download our White Paper on the Federal Law No. 152 .
This is a book that was published to help eliminate confusion in the processing of personal data and clearly describe the process of bringing personal data to IP in accordance with the laws of Russia. The topic is revealed from scratch. It helps to meet the needs of a wide range of readers.