Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 10: Limits on use of biometric information

Two people wearing business casual clothes sit opposite each other in comfortable chairs, talking. Rule 10 is about what you can use biometric information for.

The general rule is that you can only use biometric information for the purpose you collected it for. In addition, you may not use biometric information for biometric categorisation unless an exception applies.

Use only for the purpose you collected it…

Rule 10 provides that you can generally only use someone’s biometric information you hold for the specific purpose you collected it.

…unless an exception applies

If one of the following exceptions apply, you may use an individual’s biometric information for a different purpose than the one you collected it for.

You may use biometric information for a different purpose if:

  • The new purpose is directly related to the original purpose for which you collected the information.
  • The way the information will be used will not identify the individual. 
  • The information will be used for statistical, or research purposes and it won’t be published in a way that could identify the individual.
  • The individual authorises the use of their information for the new purpose.
  • The source of the information is a publicly available publication and, in the circumstances of the case, it would not be unfair or unreasonable to use the information.
  • Using the information for the new purpose is necessary:
    • To avoid prejudice to the maintenance of the law by a public sector agency or to enforce a law that imposes a monetary penalty.
    • To protect public revenue.
    • For court or tribunal proceedings.
    • Note: the “avoid prejudice to the maintenance of the law” exception would not generally permit a retailer to use their biometric system to identify any person who may be wanted by a law enforcement agency. But it could apply as a one-off incident in relation to a specific investigation by a law enforcement agency.
  • Using the information for the new purpose is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual.

You need to have reasonable grounds to believe that the exception applies. Exceptions should only be used after confirming that it applies to each use of biometric information. 

Read our rule 2 guidance for more information about the exceptions listed above.

The rule 10 exceptions do not apply to biometric categorisation. This means that even if one of the exceptions to the general limits allows you to use the biometric information for another purpose, that other purpose is still subject to the limits on biometric categorisation. The necessity and proportionality use limits also still apply if you are starting biometric processing on information you collected for a purpose other than biometric processing, or if you are changing the type of biometric processing.

Limits on biometric categorisation

Rule 10 contains limits on using someone’s biometric information to categorise them or infer (or attempt to categorise or infer) certain sensitive information about them unless an exception applies (also referred to as biometric categorisation or inferential biometrics). 

The Code limits certain uses of biometrics to make inferences or categorise people because inferring some types of sensitive information from the way someone looks, moves or behaves can be deeply invasive of an individual’s privacy, whether or not the categorisation or inference is accurate. 

What is biometric categorisation?

Biometric categorisation (sometimes called inferential biometrics) is when an organisation uses an automated process to analyse a person’s biometric information to collect, infer or detect certain other types of sensitive information about them (e.g. information about their health or information about their mood or alertness) or to place them in a demographic category (e.g. age, gender or ethnicity categories). 

Biometric categorisation doesn’t include:

  • when a system analyses a person’s body or appearance to detect a readily apparent expression (e.g. whether someone is raising their hand), or 
  • any process that is part of another service or device that analyses the user’s biometric information solely for the purposes of providing the user with their own information or entertainment (e.g. a consumer smartwatch that provides the wearer with information about their energy levels).

Read more about the definition of biometric categorisation.

What are the limits on biometric categorisation? 

The Code places limits on using biometric information for biometric categorisation. Unless an exception applies, you must not process someone’s biometric information: 

  • to obtain, infer or generate information about their:
    • health
    • emotion, mood, personality, mental state or intention
    • attention level, state of fatigue or alertness
  • to categorise them according to categories that are protected grounds in the Human Rights Act.

See below for more guidance on each of the limits and relevant exceptions below

Limit – detecting someone’s health information

You must not use a biometric system to analyse someone’s biometric information to obtain, infer or detect their health information unless an exception applies. 

For example, unless an exception applies:

  • You cannot use gait analysis to infer or detect whether an individual has a medical condition that affects movement.
  • You cannot detect skin conditions to provide targeted advertising for skin care products.

You are permitted to use biometric categorisation to detect or generate health information if one of the following exceptions applies:

The limit also won’t apply if:

  • You are health agency providing health services to that person.

What is health information?

Health information is defined in the Health Information Privacy Code. Health information is information about a person’s health and includes information about their medical history, any disabilities they may have or have had, and information about health services that individual may have or have had in the past. 

Limit does not apply if you are a health agency providing health services 

As outlined above, the limit on using biometric categorisation to collect or detect health information does not apply to health agencies. This is because the Code does not apply to health agencies that are collecting biometric information to provide health services, so they are not subject to the limits in rule 10 (or any part of the rest of the Code, instead the HIPC applies to their use of information).

Limit does not apply if individual has given their consent

If you have obtained the individual’s express authorisation to do so, you are not restricted from using biometrics to detect information about that person’s health.

Express authorisation means that you have met the following conditions:

  • Informed the individual of all relevant information about the collection and use of their information,
  • given a genuine choice to the individual about whether to authorise the biometric categorisation, and
  • not pressured or coerced the individual into authorising the use of their information.

Example of when the authorisation exception may apply:

  • You give the individual all the relevant information and they expressly authorise you to infer or detect their health information through biometric categorisation e.g. to analyse their skin to detect a skin condition.

Example of when the authorisation exception would not apply:

  • You are relying on implied authorisation, rather than express authorisation.
  • You did not adequately inform the individual about all the important information in advance (see rule 3 for more information on notice requirements).

Limit – monitoring attention, fatigue or alertness

You must not use a biometric system to infer or monitor someone’s state of fatigue, alertness or attention level unless the exception for health and safety, or another exception, applies. 

For example, unless an exception applies:

  • You cannot use biometric information to monitor what someone is paying attention to.
  • You cannot use biometric information to detect whether someone is feeling fatigued (tired).

Exception for health and safety purposes 

You may use biometric categorisation to infer or detect information about an individual’s state of fatigue, alertness or attention level, if you believe on reasonable grounds that doing so is necessary to prevent or lessen a risk to public health, public safety or the life or health of any individual.

Exception may apply:

  • You are an employer with employees in a potentially hazardous environment (e.g. operating heavy machinery) and you intend to use biometric categorisation to detect fatigue or loss of alertness/attention in drivers to reduce the risk of a crash or other accident.

Exception would not apply:

  • You are an employer in an office-work type environment and you want to detect alertness or attention to monitor employee productivity. Monitoring productivity is not necessary to reduce a risk to health, life or safety.

Other exceptions that could apply to monitoring attention, fatigue or alertness:

Limit – inferring someone’s emotions, mood, or personality 

You must not use a biometric system to analyse biometric information to infer information about an individual’s emotions, mood, personality, mental state or intention, unless an exception applies. For example, you are generally not permitted to use biometric categorisation to analyse facial features and expressions to infer someone’s personality traits (such as their levels of extroversion, conscientiousness, openness, agreeableness and neuroticism).

Examples of biometric categorisation that would be restricted under this limitation: 

  • Analysing verbal interaction to infer the emotions of two employees.
  • Inferring an applicant’s personality traits from facial movements and gestures in video interview.
  • Detecting whether an employee is likely to be lying from eye movements in workplace disciplinary process. 
  • Monitoring customer emotional reactions to products and displays in a retail store.

Exceptions to limit on inferring emotions, mood or personality 

However, the limit on using a biometric system to analyse someone’s biometric information and infer information about their emotions, personality or mood does not apply if:

Limit – putting people into categories based on protected grounds under the Human Rights Act 

You must not use a biometric system to analyse someone’s biometric information and categorise them into categories that correspond to the prohibited grounds of discrimination listed in section 21(1) of the Human Rights Act.

For example:

  • Analysing facial features to infer someone’s gender, ethnicity or disability.
  • Recording information about someone’s physical reaction (e.g. to political advertisements) to infer political beliefs.
  • Categorising a customer by any restricted category (e.g. sexual orientation) to change what products are offered or change the price of product offerings to that customer.

The prohibited grounds of discrimination in the Human Rights Act that you may not use biometric information to categorise people according to include:

  • Sex, which includes pregnancy and childbirth.
  • Marital status.
  • Religious or ethical belief.
  • Colour, race, ethnicity, nationality or citizenship.
  • Disability, which includes physical disability or impairment, physical or psychiatric illness, intellectual or psychological disability or impairment, reliance on accessibility aids like a guide dog or wheelchair and certain other factors.
  • Political opinion, which includes the lack of a particular political opinion or any political opinion.
  • Employment status.
  • Family status.
  • Sexual orientation.

For more detail, see section 21(1) of the Human Rights Act.

Categorising by age or other demographic category (that is not a prohibited ground of discrimination under the Human Rights Act) 

The limit does not apply if you are categorising the relevant individual by age or by a demographic category that is not a prohibited ground of discrimination under section 21(1) of the Human Rights Act.

For example:

  • You are using a system to estimate the age of a person to monitor an age-based access limit to a website.  
  • You are using categorisation to sort photos of individuals into age groups (children, adult, elderly).
  • You are categorising individuals into demographic categories that are not prohibited grounds of discrimination e.g. by education level.

Other exceptions for demographic-based categorisation 

The limit on using biometric categorisation to a biometric system to analyse someone’s biometric information and categorise them according to a protected category does not apply if:

More information about the exceptions to the biometric categorisation limits 

As outlined above, there are some limited circumstances where the limits on biometric categorisation don’t apply. However, you must still comply with the other requirements in rule 10 about the purpose for which you can use information.

Exception for assisting a person with accessibility

You believe on reasonable grounds that using biometric categorisation is necessary to assist an individual with accessibility.

Accessibility means you are helping someone with a disability overcome or reduce barriers they face to participating on an equal basis with others.

Exception may apply:

  • You are using biometric categorisation to generate descriptions of people and the surrounding environment to provide to people with vision impairments. 

Exception would not apply:

  • You are using biometric categorisation to detect whether an individual has a disability for your own information and not to assist with accessibility e.g. you want to provide targeted advertising. 

Exception for responding to serious threats to individual or public safety

You believe on reasonable grounds that using biometric categorisation is necessary to prevent or lessen a serious threat to public health or public safety, or to the life or health of any individual.

Exception may apply:

  • You are a law enforcement agency responding to an urgent and critical situation that requires you to locate an individual in a crowd to avoid a serious threat to public safety, and using biometric categorisation is necessary to quickly locate the individual (e.g. you know some characteristics of the individual such as their race and sex, so the biometric categorisation helps narrow the possible identity of the person).

Exception would not apply:

  • There is a serious threat to life or health but using biometric categorisation (e.g. detecting emotions or categorising an individual into demographic categories) would not help mitigate or resolve the threat.

Exception for conducting statistical analysis or research

The biometric information is to be used for statistical or research purposes subject to ethical oversight and approval and will not be published in a form that could reasonably be expected to identify the individual concerned.

Exception may apply:

  • You are a research group conducting a study assessing the technical accuracy of a new type of biometric categorisation for detecting emotions in non-verbal individuals, you have received ethics approval for that research, have complied with the conditions the ethics committee recommended, and you otherwise comply with all rules in the Code.

Exception would not apply:

  • You are conducting product testing to trial a type of biometric categorisation, but you do not have ethical oversight or approval of the research.

Using previously collected information, or biometric information for a different type of processing

Rule 10 also limits organisations from starting to use personal information that wasn’t originally collected for biometric processing in a biometric system (e.g. photos, video or audio footage) unless it would be necessary and proportionate, and they have put in place appropriate safeguards.

It also limits organisations using biometric information for a different type of processing than it was collected for unless the use is necessary, proportionate and relevant safeguards have been adopted. These restrictions reflect the threshold for collecting biometric information in rule 1 and ensures that the important and fundamental controls on biometric processing apply to the information an organisation already holds before it adopts new biometric processing or a different type of processing.

When do you need to assess necessity, proportionality and appropriate safeguards for processing information you already hold?

If you collected biometric information in accordance with rule 1, and you are using the biometric information for the same type of processing, then you do not need to reconsider the necessity, proportionality and safeguards under rule 10.

However, you will need to consider the necessity and proportionality of your use and the relevant safeguards if:

  • You are starting new biometric processing on information you did not collect in accordance with rule 1, or 
  • You are using biometric information for a different type of processing than it was originally collected for. 

For example:

  • You want to use facial recognition technology on an archive of CCTV footage that was not collected for biometric processing.
  • You hold a database of lawfully collected images of people that were not collected for biometric processing. You want to run a biometric deduplication process on the database to remove any duplicate images. 
  • You want to change from using a biometric verification system to using a identification system to control access to a secure place.

Full guidance on how to assess the necessity, proportionality and relevant safeguards is included in our rule 1 guidance.

Read our example scenarios of how an organisation might apply rule 10 in context.

Back to top