Guidelines for Biometric User Privacy and Security Protection

2019-09-03
Ant Financial’s success is built on the trust of our more than one billion users across the world in our company to safeguard and protect their data and privacy. We have always implemented rigorous, best-in-class privacy, security and risk control processes and continually upgrade our practices to ensure that our systems are designed and managed according to best practices and compliance standards.

With biometric technologies such as Alipay’s ‘Smile to Pay’ being increasingly adopted as a form of payment across China, we are proud to announce Ant Financial’s guidelines for biometric user privacy and security protection. In order to ensure the healthy development of the broader biometric industry, we propose and encourage our industry peers that utilize biometric technologies adopt the same standards. The full guidelines can be seen below.

1. Privacy Protection: Follow the principle of “minimum and necessary” by collecting only the necessary information with users’ authorization. Users have the right to know and should be fully guaranteed the choice of whether to use biometric solutions. In addition, a standardized and transparent system should be established specifying how long user information can be stored.

2. Data Security: The collected information should be encrypted in order to strengthen data protection. Vendors should set up a dedicated risk management group consisting of their core executives for the coordination of data security related efforts, to maximize the protection of users’ rights and interests.

3. Preventing information abuse: To avoid excessive use of information, biometric vendors should clearly define and regulate the purpose and scope of user information usage. When using user information, vendors should carefully consider whether the purpose and scope of using such information is necessary and reasonable, and whether the relevant users have been fully informed accordingly.

4. Responsibility and supervision: Biometric vendors should establish a dedicated insurance mechanism to minimize the potential financial risks for users. To avoid security risks, vendors should also develop mechanisms for risk prevention, review, response and accountability, which ensure the security, controllability and transparency of biometric services.

5. Fairness: The development of biometrics should follow the principles of fairness and justice, eliminate prejudice and discrimination in algorithm design, technology development, product development and technology application, not to discriminate against users due to gender, age, etc., and protect users’ rights and interests.