New biometric laws needed urgently, review finds

Ryder Review calls for a new statutory framework to follow before biometric technology can be deployed against members of the public

Posted 29 June 2022 by Christine Horton

New laws for biometric data are needed urgently, according to an independent legal review.

The review of the governance of biometric data in England and Wales was commissioned by the Ada Lovelace Institute and led by Matthew Ryder QC (pictured).

The Ryder Review notes that with increase in the collection, use and processing of biometric data both by public authorities and the private sector, it “is vital to ensure that we do not allow the use of biometric data across society to evolve in a flawed way, with inadequate laws and insufficient regulation.”

The report says that law enforcement, public authorities and private companies are all pushing “the legal boundaries for the use of biometric data.”

However, “it becomes dangerous when the regulatory boundaries are unclear, and when the law fails to respond quickly and effectively to new data-processing techniques.”

It says live facial recognition (LFR) “is the clearest example of why a better legal and regulatory framework for biometric data is needed urgently. But the concerns it raises apply in numerous other areas.

Ryder calls for a new regulatory framework that is applicable to a range of biometric technologies, “rather than simply react in a piecemeal way to each new development.

“Similarly, we strongly recommend urgent research on regulating biometric data in the context of use by private companies. We found such research to be significantly lacking, due to the particular focus thus far on biometric data use by public authorities, particularly LFR by law enforcement.”


The review sets out 10 recommendations to protect fundamental data and privacy rights. These include:

  • A new, technologically neutral, statutory framework which sets out the process that must be followed, and considerations that must be taken into account, by public and private bodies before biometric technology can be deployed against members of the public.
  • Legislation that covers the use of biometrics for unique identification of individuals, and for categorisation (also known as classification).
  • Sector and/or technology-specific codes of practice, including, as soon as possible a legally binding code of practice governing the use of LFR. The use of LFR in public should be suspended until the statutory framework described above is in place. This framework should supplement, and not replace, existing duties under the Human Rights Act 1998, Equality Act 2010 and Data Protection Act 2018.
  • The establishment of a national Biometrics Ethics Board with statutory advisory role in respect of public-sector biometrics use.