Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 5 example scenarios

A woman with short, curly hair flips through a notebook while browsing in a retail store.

These scenarios are examples of how an agency might apply rule 5 in context.

Facial recognition by a retail store to operate a watchlist

A store intends to use FRT to identify individuals on a watchlist to help improve staff and customer safety.

As part of complying with rule 5, the store makes deliberate decisions about how the system will operate and how the information will be protected, to help minimise the amount of biometric information collected and ensure it is adequately protected. For example:

  • Immediate deletion of non-match images. 
  • Ensuring stored biometric information is encrypted.
  • Restricting user access to the biometric system to a limited number of staff with additional training. Access is logged and there will be regular audits.
  • Choosing a biometric system that complies with relevant ISO/IEC biometric standards. The system chosen also has a high level of accuracy when capturing images in the “wild” i.e. under the conditions in the store.
  • Ensuring biometric templates are irreversible, unlinkable, and revocable.
  • Regularly reviewing security practices and taking action on any identified issues.
  • Mitigating technological issues of bias or accuracy.
  • Not linking biometric information to any other customer data e.g. loyalty programme.
  • Alerts from the watchlist only go to authorised devices on the store’s network.
  • Securely destroying biometric information when no longer needed. 

A person's finger rests on a fingerprint scanner below a number pad. The scanner has lit up green. Fingerprint scan for Multi Factor Authentication (MFA)

A business has access to highly sensitive information. It wants to ensure only the correct staff members have access to a limited, highly restricted database. It decides to implement a multi-factor authentication system using employee fingerprints. The business implements a range of security measures to comply with rule 5, for example:

  • Processing biometric samples into biometric templates and deleting the original samples.
  • Storing the biometric template locally on each employee’s device and not linking the biometric template with any other employee personal information.
  • Ensuring a high standard of technical protection for the biometric information.
  • Keeping the employee devices’ operating system and software up to date by applying latest updates and patches.
  • Ensuring the business can and will audit any access (or attempted access) to biometric information.
  • Securely deleting biometric information when the relevant employee no longer needs access to the restricted database.
  • Regularly reviewing security practices and taking action on any identified issues.
  • Having clear organisational policies and practices around how biometric information is collected, held, disclosed and destroyed.
Back to top