Biometric Data Examples: What Counts, What’s Legal, Safe Use In The UK

Biometrics can make your business faster and more secure - think fingerprint access to your office, Face ID for staff sign-in, or voice recognition in your customer service system.

But in the UK, most biometric data is classed as “special category” personal data. That means stricter rules under UK GDPR and the Data Protection Act 2018 (DPA 2018). If you get it wrong, you risk ICO investigations, fines, and employee or customer complaints.

In this guide, we’ll walk through clear biometric data examples, when the law treats them as special category data, and the practical steps to stay compliant if you’re considering biometrics in your workplace or product.

What Is Biometric Data Under UK Law?

Under UK GDPR, biometric data is personal data resulting from specific technical processing of physical, physiological or behavioural characteristics that allow or confirm unique identification. It’s not just any photo, recording, or measurement - it’s data captured or processed in a way that enables unique identification.

When Is Biometric Data “Special Category”?

Biometric data becomes “special category” data when it’s processed for the purpose of uniquely identifying a person. This triggers tighter rules, including the need for an Article 9 condition (on top of a lawful basis under Article 6) and stronger safeguards.

Biometric Data Examples (Common In Business)

• Fingerprints used for clocking in, building access, or device unlock.
• Facial recognition templates for door entry, employee sign-in, or customer verification.
• Iris/retina scans used in high-security environments.
• Voiceprints for identity verification (e.g. “my voice is my password” phone systems).
• Hand geometry scans used for access control or time and attendance.
• Behavioural biometrics such as keystroke dynamics or mouse movement patterns used to spot account takeover.
• Vein pattern recognition (palm or finger) for secure access.
• Signature dynamics (pressure, speed, stroke pattern) used for identity verification.

Importantly, a simple CCTV recording of someone’s face is not automatically special category biometric data. It becomes biometric data if you use specific technical processing for unique identification (e.g. facial recognition matching to an identity). If you record sound along with images, consider the additional compliance issues around CCTV with audio.

What UK Laws Apply To Biometric Data?

If your business uses biometrics to identify people (employees, contractors, visitors, or customers), you’ll need to comply with the UK GDPR and the DPA 2018. In practice, that means you should address the following areas before you switch anything on.

1) You Need A Lawful Basis (Article 6)

You must identify a lawful basis for processing personal data. Many businesses look at legitimate interests or performance of a contract, but you’ll need to assess this carefully and document your reasoning. If you’re dealing with employees, remember there’s often an imbalance of power, so relying on consent is usually risky.

2) You Also Need An Article 9 Condition

Because biometric data used for identification is special category data, you must meet a separate Article 9 condition. In employment settings, businesses often consider:

• Explicit consent (must be freely given, specific, informed and unambiguous - very hard to achieve with employees because consent must be genuine and refusal must carry no detriment), or
• Employment, social security and social protection law (only if a specific legal obligation necessitates biometrics - which is uncommon), or
• Substantial public interest (only where a relevant UK law and appropriate policy document apply).

In lots of workplaces, these conditions are difficult to meet, which is why you should seriously evaluate whether biometrics are necessary, and ensure a robust alternative is available for anyone who opts out without penalty.

3) Data Protection Impact Assessment (DPIA)

Biometric processing is likely “high risk”, so a DPIA is generally expected before deployment. A DPIA documents the purpose, necessity, legitimate interests, risks to individuals, and the safeguards you’ll put in place (like access controls, encryption, and alternatives for opt-out).

4) Transparency And Privacy Notices

You need to explain what you’re doing, why, and how long you’ll keep the data in a clear, accessible notice. For staff, this sits within your employee privacy notice; for customers or visitors, your external-facing Privacy Policy and signage should cover the essentials.

5) Purpose Limitation, Minimisation And Retention

Only collect what you need (e.g. a template or hash, not a full raw fingerprint image), use it only for the stated purpose (e.g. access control), and keep it for the shortest time necessary. Build and document a sensible retention schedule.

6) Security Measures

Special category data demands appropriate technical and organisational measures: encryption at rest and in transit, strict role-based access, audit logs, regular testing, and vendor due diligence.

7) Individual Rights

People can exercise rights (access, erasure, objection, restriction) and you must have a process to respond on time. This includes dealing with subject access requests that cover biometric data and audit trails.

8) Processors And International Transfers

If a third-party vendor processes biometric data for you, you need a compliant Data Processing Agreement. If data leaves the UK, ensure appropriate transfer safeguards (e.g. UK Addendum to SCCs) and complete transfer risk assessments.

9) Equality And Employment Considerations

Under the Equality Act 2010, ensure your approach doesn’t indirectly discriminate. For example, some staff may be unable or unwilling to provide biometrics for lawful reasons; you must offer a reasonable alternative without detriment.

Can You Use Biometric Clocking Or Access Control At Work?

Yes - but you’ll need to clear some important legal hurdles. The ICO has flagged concerns about proportionality and necessity in workplace biometric systems. In short: if there’s a less intrusive way to achieve your aim (e.g. ID cards or PINs), you should consider that first, or at least offer it as a genuine alternative.

Time and attendance systems are a common use case. Before implementing fingerprint clocking machines or face scanners, work through a DPIA with input from HR, IT and your data protection lead. In most businesses, relying on employee “consent” will not be robust because refusal must be without detriment - and in reality, staff often feel they can’t say no.

A Practical Approach For Employers

• Define the problem and objective: why biometrics are needed versus a smart card or code.
• Run a documented DPIA with a realistic alternatives analysis and mitigation plan.
• Choose a vendor that stores templates securely (not raw images), preferably on-device, and supports encryption and strict access controls.
• Offer a genuinely equal, non-biometric option (e.g. card or PIN) with no penalty or stigma for using it.
• Update your staff privacy notice and relevant policies, and consult with staff/representatives before rollout.
• Test your process for onboarding, opt-outs, access requests, and deletion when someone leaves.

If you use CCTV systems with analytics or sound recording, revisit your risk assessment - combining video, audio, and facial analytics increases intrusiveness and legal risk, and must be justified. Our guide on CCTV with audio steps through the extra considerations.

Biometric Data Examples You Should Treat As Special Category

To help you issue-spot, here are common scenarios where the law is likely to treat your processing as special category biometric data (because it’s used to uniquely identify a person):

• Fingerprint templates for employee clock-in or door access.
• Facial recognition templates for staff access control or customer age/identity checks.
• Iris/retina scan data used for secure facility entry.
• Voiceprints used to authenticate a caller to their account.
• Behavioural templates (keystrokes, gait, mouse movement) when used to authenticate or identify a specific individual.
• Palm/vein pattern templates for laboratory or data centre access.

By contrast, there are edge cases where the data itself might look “biometric” but isn’t special category because you’re not using it to identify a person. For example, anonymised gait data used only for aggregate footfall analytics may fall outside special category rules if it cannot be linked back to an identifiable person. However, if there’s any reasonable means to re-identify, treat it as personal data at minimum.

A Compliance Checklist For Rolling Out Biometrics

Use this as a starting point before you deploy any biometric system in your business.

1) Strategy And Necessity

• Write a short business case: aim, outcomes, and why biometrics are necessary and proportionate.
• List non-biometric alternatives and explain why they are insufficient - or plan to offer them as equal opt-outs.

2) Data Protection Impact Assessment

• Conduct and document a DPIA covering purpose, lawful basis, Article 9 condition, risks, and mitigations.
• If risks remain high, consult the ICO before proceeding.

3) Vendor Due Diligence And Contracts

• Assess security (encryption, hashing, template storage), access controls, certifications, and locations of processing.
• Put a compliant Data Processing Agreement in place with processors; use a Data Sharing Agreement if you share data with other controllers.
• Check international transfers and implement UK-approved transfer tools where needed.

4) Policies, Notices And Training

• Update your Privacy Policy and staff privacy notice to cover biometric processing, retention, and rights.
• Draft internal procedures for onboarding, opt-outs, access/erasure requests, and offboarding deletion.
• Train managers and admins on appropriate use, access, and incident handling.

5) Security And Access Controls

• Use privacy-by-design settings: store templates, not raw images; apply encryption; limit admin access; and maintain audit logs.
• Segment systems so biometric data is isolated and protected with multi-factor admin access.
• Set and enforce a retention schedule; automate deletion when someone leaves or the purpose ends.

6) Rights Handling And Incident Response

• Set up a process to handle access and deletion requests within legal timeframes for subject access requests.
• Prepare and test your Data Breach Response Plan, including criteria for notifying the ICO and affected individuals.

Real-World Use Cases: What Good Looks Like

Access Control For A Small Office

Goal: control entry to a workspace with minimal admin and lost-card headaches.

Better practice: offer staff a choice between a smart card/PIN and a facial recognition template stored on a secure, on-premise controller. Run a DPIA, restrict who can view or export data, and delete templates when someone leaves. Be transparent in staff notices and ensure no one is penalised for opting out.

Time And Attendance For A Retail Team

Goal: reduce “buddy punching” and improve payroll accuracy.

Better practice: assess whether a geofenced mobile app with PIN achieves the same aim. If you still need biometrics, consider on-device fingerprint templates rather than cloud storage, ensure an equal non-biometric option, and review reasons for choosing biometrics in your DPIA. For a deeper dive, see our note on fingerprint clocking machines.

Customer Identity Verification In A Fintech App

Goal: step-up authentication using a face template for high-risk transactions.

Better practice: use liveness checks and biometric templates from a vetted provider, with strong encryption and regional hosting. Provide a non-biometric fallback and explain clearly in your in-app privacy information what you collect and why. Contractually lock down your vendor’s processing through a tight Data Processing Agreement.

Essential Legal Documents For Biometric Projects

Getting your paperwork right will make implementation smoother and reduce risk.

• Privacy Policy and staff privacy notice – explain what biometric data you collect, why, how it’s secured, retention periods, and rights.
• Data Processing Agreement – required when a vendor processes biometric data for you (e.g. cloud-based access control).
• Data Sharing Agreement – if you share biometric data with another controller (e.g. a joint venture site operator).
• Data Breach Response Plan – so your team knows how to respond quickly to potential incidents involving special category data.

If your biometric system is part of wider workplace monitoring (e.g. cameras, microphones, analytics), revisit your CCTV policy and signage, and reassess any audio capture in line with the issues around CCTV with audio.

Frequently Asked Questions

Is Consent Enough For Employees?

Usually not. Consent must be freely given, which is hard to rely on in employment due to power imbalance. If staff can’t refuse without detriment, it isn’t valid “explicit consent”. That’s why alternatives (e.g. card/PIN) and a strong DPIA are so important.

Can We Store Biometric Templates In The Cloud?

Yes, but only with robust security, clear contractual controls, minimised data (templates not raw images), and transfer safeguards if data leaves the UK. Complete due diligence and put a solid Data Processing Agreement in place.

Do We Have To Do A DPIA?

It’s strongly expected for high-risk processing like biometrics. The DPIA helps you justify necessity and proportionality, and forces you to plan mitigations before deployment.

What About Visitors Or Contractors?

Apply the same principles: be transparent, limit collection to what’s necessary, provide a non-biometric option, and delete data promptly when it’s no longer needed.

Key Takeaways

• Most biometric data used for identification (fingerprints, face templates, voiceprints) is special category data under UK GDPR - you’ll need a lawful basis and an Article 9 condition, plus strong safeguards.
• Run a DPIA early. Document why biometrics are necessary and proportionate, and offer a genuine, non-biometric alternative with no detriment for opting out.
• Tighten security: collect templates not raw images, encrypt everything, restrict access, log admin actions, and set short retention periods with automated deletion.
• Be transparent with staff and customers through clear notices and your public-facing Privacy Policy; prepare processes for handling access/erasure requests and incidents.
• Lock down vendors with a Data Processing Agreement, and consider a Data Breach Response Plan and Data Sharing Agreement where appropriate.
• If you’re deploying biometric clocking or access systems, review the risks around workplace monitoring and audio/video capture - our guides on fingerprint clocking machines and CCTV with audio explain the pitfalls.

If you’d like expert help to assess a biometric system, run a DPIA, or get the right documents in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.