Biometric information is
||an individual's physiological, biological or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid (DNA), that is used or intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or gait rhythms, and sleep, health, or exercise data that contain identifying information.
Privacy as a term can signify many different concepts, some overlapping at times. The extraordinary advances and popularity of information technology bring one conceptualization of privacy — information privacy — to the forefront of the privacy protection discussion. The touch point of privacy and biometric technologies is in the nature and use of information. Biometric systems use information generated from observing individuals to recognize a particular individual. Since personal information is any information that could be used in any way to identify an individual, biometric information is personal information even in those situations where the identity of the individual associated with the biometric information is unknown.
||The management of biometric information in a manner that respects privacy, civil rights, and civil liberties requires organizations to address specific questions surrounding the collection, retention, use, and sharing of biometric information. Indeed, the fact that the physical person is the source of the information creates even higher expectations for the protection of privacy. For example, the manner of collection can be pivotal. The mass collection and retention of biometric data, such as scanning all faces in a crowd without the knowledge or consent of the individuals, raises somewhat different concerns about privacy than perhaps a program that collects biometric information from individuals one at a time after obtaining their consent. In addition, mass collection and retention undertaken as a proactive preventive task — rather than as a response to a predicate criminal act — creates the potential for discovering more information than is needed, exacerbating privacy concerns. The risk is also higher for biometric data than for more traditional types of personal information because the data collected could be used for a purpose beyond that which justified the initial collection (for example, finding a suspect rather than just verifying identity).