RISHI MAHARAJ, executive director of EquiGov Institute

Recently I opened a new account at a local banking institution. As part of the process, I filled out the required forms which included due diligence for anti-money laundering obligations. I did up the forms online and emailed it into the bank and went in on the prescribed day and time for my appointment to formalise and open the account.

All the steps to open the account were pretty standard: I walked with my identification cards for validation of identity, utility bills for validation of address and statements for validation of funds. Also, I was asked to do my signature three times to assist with signature verification re transactions and cheques etc.

Like I said all the steps were standard. However, the one thing that stood out to me was that I was asked to look into a camera attached to the officer's computer so that a photo can be taken of me. In my previous visit to that same bank about two years ago to open an account I cannot recall being asked to look into a camera for a picture to be taken.

Such has the world changed in the last three years, that now many businesses are now moving towards adopting identity access management practices as part of their client onboarding or employee identity process. As a data protection practitioner, this process of course had me thinking about the data protection implications of adopting such technologies from a business perspective and the risk involved not only from the business side but also the customer/employee perspective.

I should add here that Trinidad and Tobago does have a data protection act that was passed in 2011. However, the act was never fully implemented and at present the government is in the process of amending the act based on global developments over the last ten years, most notably the the EU's General Data Protection regulation of 2018. So, as it stands now (subject to correction) there are no laws to regulate the use of these technologies in TT.

In essence biometric data is personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of individuals. Biometric data allows for or confirms the unique identification of an individual. Today's most common examples of processing activities involving biometric data are facial or iris scans, voice recognition applications and fingerprint access systems. Under most data protection laws including our present one, this type of data is characterised as sensitive personal data an as such caries more obligations by businesses wanting to use them.

More and more companies are considering implementing systems that process biometric data for authorisation or security purposes (eg access control, monitoring of worked hours, building security). Depending on the context in which it is used, the use of biometric data may increase user comfort, efficiency of operations and security (as opposed to building access tags, biometric data ca