Is a signature sensitive personal information?
What I love about privacy work is that I constantly get asked “what if?” questions that require me to rethink things that I’ve always taken for granted. The other day’s question was: “Is a person’s signature biometric information?”
Apparently, part of the documents inadvertently sent to the wrong person were signed forms. This person asking me was in the process of determining whether the inadvertent disclosure is covered by the National Privacy Commission’s (NPC) requirement for mandatory breach notice.
The first question in making the determination is: “Is the personal data involved sensitive personal information (SPI) or other information that may enable identity fraud?”
So I thought to myself, “is a signature biometric information?” Because if it is, then a signature is SPI. And this case hurdles the first requirement for breach reporting.
A quick Google search told me that a signature is not considered SPI. However, the manner in which a person signs is biometric data and, ergo, SPI.
Why is this little nugget of information important? Well, the use of signature pads have become commonplace these days. If the signature pad used by your company records not only the signature of the customer but the manner in which the signature is done (i.e., how a person signs) then your company will be subject to the more stringent requirements of the 2012 Data Privacy Act in collecting and processing sensitive personal information. More importantly, if such biometric information is part of personal data that is subject of a data breach, then you will be required to comply with the data breach notice requirements of the NPC.