The Permanent Nature of Biometric Data
Biometric data occupies a unique position in the data security landscape. Unlike a password that can be changed or a credit card number that can be reissued, biometric identifiers are permanent. Your fingerprints, facial geometry, iris patterns, and voiceprint do not change over your lifetime. If biometric data is exposed through improper device disposal, the individual cannot simply reset their biometric identity. This permanence makes biometric data one of the most sensitive categories of personal information, demanding the highest standards of protection during disposal.
The proliferation of biometric technology in everyday devices means that biometric data is now stored on an enormous range of equipment. Smartphones with fingerprint and face unlock, laptops with fingerprint readers, time-and-attendance systems, access control panels, and even some printers and copiers now collect and store biometric information. Each of these devices requires careful data handling when it reaches end of life.
Where Biometric Data Is Stored on Devices
Modern smartphones store fingerprint templates and facial recognition data in secure enclaves or trusted execution environments. Apple’s Secure Enclave and Android’s Trusted Execution Environment (TEE) are hardware-isolated areas designed to protect biometric data from the main operating system. However, the physical storage chips that house these secure areas still exist on the device’s circuit board and may retain data even after a factory reset, depending on the implementation.
Laptop fingerprint readers store biometric templates either in the reader’s own hardware module or on the laptop’s main storage. Enterprise fingerprint authentication systems may store templates centrally on a server, locally on the workstation, or in a combination of both locations. Understanding where templates are stored is essential for ensuring complete destruction.
Time-and-attendance systems and door access control panels often store biometric templates for all enrolled users directly on the device. A single access control panel at a building entrance may contain fingerprint or facial recognition templates for hundreds of employees and visitors.
CCTV and surveillance systems with facial recognition capabilities store both the facial recognition templates used for matching and the captured images from which those templates were derived. Video analytics platforms may maintain extensive databases of facial data collected from cameras across multiple locations.
Photocopiers and printers with user authentication features may store fingerprint data used for secure print release or access control to device functions.
Legal Classification of Biometric Data
Under the Australian Privacy Act 1988, biometric information used for the purpose of automated biometric verification or identification is classified as sensitive information. Sensitive information receives a higher level of protection than ordinary personal information, with stricter requirements around collection, use, disclosure, and destruction.
The heightened classification of biometric data means that organisations must take particularly reasonable steps to destroy it when it is no longer needed. The standard that regulators will apply when assessing whether destruction was adequate is higher for biometric data than for general personal information such as names and addresses.
State and territory legislation may impose additional requirements. Victoria’s Information Privacy Act and Health Records Act include provisions relevant to biometric data, particularly in healthcare and government contexts where biometric identification is increasingly common.
Internationally, biometric data receives special protection under frameworks like the EU’s GDPR (where it is classified as special category data) and the Illinois Biometric Information Privacy Act (BIPA) in the United States, which has generated significant litigation around biometric data handling. Australian organisations with international exposure should be aware of these frameworks.
Data Destruction Approaches for Biometric Data
For smartphones and tablets, a full NIST 800-88 compliant sanitisation of the device, not just a factory reset, is recommended when the device has been used with biometric authentication. While most modern devices encrypt biometric data and destroy it during a factory reset, the variation between manufacturers and implementations means that a thorough approach is warranted.
For laptops with fingerprint readers, the storage location of biometric templates determines the destruction approach. If templates are stored on the main drive, standard disk sanitisation addresses them. If templates are stored in the fingerprint reader’s own hardware module, the module may need to be specifically cleared using manufacturer tools, or the module itself may need to be physically destroyed.
For access control panels and time-and-attendance systems, all enrolled biometric templates should be deleted through the device’s management interface before decommissioning. If the device will be recycled rather than redeployed, physical destruction of the storage components ensures no templates remain.
For CCTV and facial recognition systems, both the facial recognition database and any stored video containing identifiable facial imagery should be destroyed. The storage media in these systems, typically hard drives in DVRs or NVRs, should undergo standard data destruction processing.
For any device where the biometric data storage location is unclear or where there is uncertainty about whether software-based deletion has been thorough, physical destruction of the relevant electronic components provides definitive assurance that biometric data cannot be recovered.
Organisational Policy Requirements
Organisations that collect biometric data should have specific provisions in their data destruction policy addressing biometric information. These provisions should identify all devices and systems that collect or store biometric data, specify destruction methods appropriate to the heightened sensitivity of biometric information, require verification that biometric templates have been completely removed, and mandate documentation of biometric data destruction for compliance records.
Staff awareness is important. Employees who enrol their biometrics on work devices should understand that this data exists on the device and will be handled appropriately when the device reaches end of life. This transparency builds trust and supports compliance with the notice requirements of the Privacy Act.
The Stakes of Getting It Wrong
Biometric data exposure from improperly disposed devices cannot be remediated after the fact. You cannot issue new fingerprints. You cannot change someone’s facial geometry. The consequences of a biometric data breach are permanent for the affected individuals. This permanence demands that organisations treat biometric data destruction with the utmost seriousness, applying the highest available standards and maintaining thorough documentation of every step in the process.