Should we consider fingerprint minutiae as biometric data?
March 14, 2017
mauritius security privacyI wrote a letter to the Data Protection Commissioner today in order to obtain some clarification on whether fingerprint minutiae is biometric data.
The Supreme Court of Mauritius in its verdict in the case JUGNAUTH Pravind Kumar (Hon) vs The State of Mauritius (2015 SCJ 178), said the following:
« we grant a permanent writ of injunction prohibiting the defendants from storing, or causing to be stored, as the case may be, any fingerprints or biometric information data obtained on the basis of the provisions in the National Identity Card Act and the Data Protection Act. »
The website of the Mauritius National Identity Card Unit (www.mnic.mu) is not operational since more than a year. I emailed the Civil Status Division for information on the identity card but I was instead asked to contact the Ministry of Technology, Communication and Innovation. I emailed MTCI asking information regarding a “consent form” that is required to be signed to allow “temporary” storage of the fingerprint images, but I did not receive a reply. I could not find any information about the recording of fingerprints, temporary storage of fingerprint images and storage of fingerprint minutiae in the chip of the identity card. It is reported in the press that the fingerprint minutiae will be stored in the chip of the card.
I wrote to the Mauritius Standards Bureau for further information on ISO/IEC 19794-2 standard (Biometric data interchange formats — Part 2: Finger minutiae data). I await a reply.
My question is whether fingerprint minutiae constitute of biometric data and its storage on the card complies with the Data Protection Act. I wrote to the Data Protection Commissioner hoping she could shed some light on the same.
Update 20 March 2017
The Data Protection Commissioner replied me through a letter dated 17 March 2017. In her answer the commissioner did not directly answer whether “fingerprint minutiae” constitute of biometric data. She instead cited the definition of “personal data” as per the Data Protection act 2004 of Mauritius and concluded that « if an information identifies an individual, then it is considered as personal data ».
The letter ended with the following paragraph:
Kindly note that matters relating to the collection, processing and storage of data related to the National Identity Card has been taken at the level of the Supreme Court and Privy Council. The Data Protection Office abides by the decisions of the Supreme Court and the Privy Council.