PDAT-02

Do you capture or create genetic, biometric, or behaviometric information (e.g., facial recognition or fingerprints)?

Explanation

This question is asking whether your organization collects or processes particularly sensitive personal data related to genetic information (DNA, family medical history, genetic test results), biometric data (physical characteristics that can be used for identification like fingerprints, retina scans, or facial recognition), or behaviometric information (behavioral patterns that can identify individuals, such as typing patterns, gait analysis, or voice recognition). This question is included in security assessments because these types of data are considered highly sensitive and are often subject to special regulatory requirements and heightened security controls. For example, in many jurisdictions, biometric data is considered a special category of personal data under privacy laws like GDPR, CCPA, or BIPA (Biometric Information Privacy Act). Collection of such data creates additional compliance obligations and security risks. The best way to answer this question is to be completely transparent about what types of sensitive data your organization collects, if any. If you do collect such data, you should be prepared to explain: 1. What specific types of genetic/biometric/behaviometric data you collect 2. Why this data is necessary for your service/product 3. How you secure this particularly sensitive data 4. What compliance measures you have in place for relevant regulations If you don't collect such data, a simple but definitive statement to that effect is appropriate.

Guidance

Genetic information would include information about genetic tests, genetic tests of family members, actual manifestations of diseases, and family medical records. Biometric information includes elements such as facial recognition, fingerprints, and voice recognition. Behaviometric information is behavioral information collected and analyzed in order to understand human behavior. The exact elements collected may depend on the requirements of an applicable regulation or law.

Example Responses

Example Response 1

No, our application does not capture or create any genetic, biometric, or behaviometric information Our authentication system relies solely on username/password combinations and optional multi-factor authentication using time-based one-time passwords (TOTP) We do not implement facial recognition, fingerprint scanning, voice recognition, or any other biometric identification methods Our analytics platform tracks only standard user behavior metrics like page views and click patterns, but does not attempt to identify individuals based on behavioral patterns.

Example Response 2

Yes, our mobile application includes an optional fingerprint authentication feature that allows users to log in using their device's built-in fingerprint scanner However, it's important to note that we do not store the actual fingerprint data on our servers Instead, we leverage the device's secure enclave and biometric APIs (such as Apple's Touch ID or Android's Fingerprint Authentication) which provide only a yes/no response regarding authentication success The biometric data itself remains encrypted and stored only on the user's device We have implemented this feature in compliance with GDPR, CCPA, and BIPA requirements, including explicit user consent flows, clear privacy notices, and the ability to opt out in favor of traditional authentication methods.

Example Response 3

Our organization does collect biometric data in the form of facial images for our secure access control system, but we currently lack some of the required compliance controls for this sensitive data type The system captures facial images of employees and visitors at building entry points and compares them against stored templates for authentication purposes While we do encrypt this data at rest and in transit, we acknowledge that we have not yet implemented a comprehensive biometric data management policy that would meet all requirements of regulations like BIPA or GDPR We are currently working with our legal and security teams to develop appropriate consent mechanisms, retention policies, and security controls specific to biometric data, with an expected completion date of Q3 this year In the meantime, we offer alternative authentication methods for individuals who do not consent to biometric collection.

Context

Tab
Privacy
Category
Privacy of Sensitive Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron