Biometric Data: A Form of Sensitive Personal Data or not under the NDPR?
Hey there!
Welcome to another edition of Privacy Notes!
To begin with, we must understand what biometric data is before determining what box it fits into. We must also try to understand what sensitive data is and the species of data that fall under this category of data. According to the GDPR, biometric data means personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.[1] Another way to put it simply is automated biological data of a natural person.
On the other hand, a sensitive data per the language of the GDPR refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation.[2] The Nigerian equivalent of the GDPR; the NDPR clearly projects sensitive data to mean data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information;[3]
There seems to be a similarity in both definitions of the GDPR and the NDPR save for the exclusion of biometric data in the definition of sensitive data rendered by the NDPR. This writeup seeks to determine what category of data a biometric data falls under within the context of Nigerian law.
Like every other argument ever canvassed be it the 6 and 9 or the glass, which is half full or empty, proponents on either side have valid assertions to give credence to their position. Looking at both definitions of sensitive data under the NDPR and the GDPR, one will agree that the NDPR basically is a spinoff of the GDPR with a few tweaks here and there. The NDPR’s specific exclusion of biometric data may be inferred that the draughtsman did not intend for biometric data to form part of sensitive personal data. It is arguable that a reading of the provisions of the NDPR which has the following general words “any other sensitive personal information” may infer that biometric will come under “any other sensitive personal information”. While this may be reasonable inference, this argument may not be sustainable legally using the “ejusdem generis rule”.
The ejusdem generis rule is the rule of statutory interpretation which provides thatwhere a general word or phrase follows a list of specific terms, the general word will be interpreted to include only items of a similar nature to the terms specified.The foregoing words in the definition of sensitive personal data under the NDPR before the general words “any other sensitive personal information” may be regarded as words which may suggest bias against a person as opposed to the nature of biometric data. Therefore, biometric data may not be regarded as Sensitive Personal Data within the context of the general words “other sensitive personal information” under the NDPR.
The other side of the divide would argue that biometric data should fall within the scope of sensitive data on the basis of the fact that the GDPR being the global standard regulation on data protection did not only recognize it as sensitive data, but it went further to brand it as a special kind of sensitive data where such data is collected solely to identify a human being.
While it is beyond argument that biometric data are personal data as they relate to an identifiable natural person/individual, what remains arguable under Nigerian law is whether biometric data can be regarded as sensitive personal data or not. That said, personal data, whether ordinary or sensitive should be treated with the required level of care by Data Controllers. Due to the nebulous nature of whether biometric data is sensitive personal data or not under the NDPR, it is my thoughts that a Data Controller treats same as sensitive from a risk mitigation perspective.
.
[1] GENERAL DATA PROTECTION REGULATION (GDPR), Art 4 – Definitions
[2] Ibid
[3] NIGERIA DATA PROTECTION REGULATION 2019 (NDPR) Part 1