Protection of personal information in South Africa: a framework for biometric data collection security

Abstract

The use of biometric technology as a means to improve national security and reduce fraud has been adopted by many countries including South Africa. This technology involves the collection of biometric data which is attributed as part of one’s personal information. Like many other countries, South Africa, in 2013 officially approved and enacted the Protection of Personal Information Act, which gives guidelines that should be followed when processing personal information. The Act regards biometric data in the same way as any other personal data. As such the processing of biometric data is regulated in the personal information protection act of the country. The responsible party for the collection of personal information needs to implement strict and appropriate measures to protect personal data against unauthorised access. In areas where biometric systems are implemented, biometric data cannot be collected without the knowledge of the concerned person. Designers of biometric systems must engage with appropriate biometric security experts to ensure that security vulnerabilities are appropriately tackled, especially if existing systems are migrated to the internet. This is particularly important because once a biometric data is compromised; it cannot be replaced like passwords and tokens. In this paper we proposed a framework for biometric data collection security using South Africa as our case study. The framework aims to bridge the gap between the collectors of biometric data, biometric security experts and the law enforcement agency for compliance with the protection of personal information act.