ANSI INCITS ISO IEC TR 24714-1-2008 Information technology - Biometrics - Jurisdictional and societal considerations for commercial applications - Part 1 General guidance (Technica.pdf

1、 INCITS/ISO/IEC TR 24714-1:2008 2015 (ISO/IEC TR 24714-1:2008, IDT) Information technology - Biometrics - Jurisdictional and societal considerations for commercial applications - Part 1: General guidance (Technical Report) INCITS/ISO/IEC TR 24714-1:2008 2015 PDF disclaimer This PDF file may contain

2、embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility

3、 of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation paramet

4、ers were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Registered by INCITS (InterNational Committee f

5、or Information Technology Standards) as an American National Standard. Date of Registration: 2/1/2015 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2015 by Information Technology Industry Council (ITI). All rights reserved. These material

6、s are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in an

7、y form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1101 K Street NW, Suite 610, Washington DC 20005. Printed in the United States of America ii ITIC 2015 All rights reserved Reference num

8、berISO/IEC TR 24714-1:2008(E)ISO/IEC 2008TECHNICAL REPORT ISO/IECTR24714-1First edition2008-12-15Information technology Biometrics Jurisdictional and societal considerations for commercial applications Part 1: General guidance Technologies de linformation Biomtrie Considrations juridictionnelles et

9、socitales pour applications commerciales Partie 1: Guidage gnral ISO/IEC TR 24714-1:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are

10、licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details

11、of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relat

12、ing to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2008 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including

13、photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in

14、 Switzerland ii ISO/IEC 2008 All rights reservedISO/IEC TR 24714-1:2008(E) ISO/IEC 2008 All rights reserved iiiContents Page Foreword iv Introduction.v 1 Scope1 2 Terms and definitions .2 3 Symbols and abbreviated terms 3 4 Societal and cross-jurisdictional considerations 3 4.1 Introduction3 4.2 Jur

15、isdictional issues .3 4.3 Accessibility.10 4.4 Health and safety.13 4.5 Usability14 4.6 Societal, cultural and ethical aspects of biometrics17 4.7 Acceptance 18 Bibliography22 ISO/IEC TR 24714-1:2008(E) iv ISO/IEC 2008 All rights reservedForeword ISO (the International Organization for Standardizati

16、on) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to d

17、eal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and

18、IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by th

19、e joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report o

20、f one of the following types: type 1, when the required support cannot be obtained for the publication of an International Standard, despite repeated efforts; type 2, when the subject is still under technical development or where for any other reason there is the future but not immediate possibility

21、 of an agreement on an International Standard; type 3, when the joint technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example). Technical Reports of types 1 and 2 are subject to review within three

22、 years of publication, to decide whether they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to be reviewed until the data they provide are considered to be no longer valid or useful. Attention is drawn to the possibility that some of the element

23、s of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC TR 24714-1, which is a Technical Report of type 3, was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC

24、 37, Biometrics. ISO/IEC TR 24714 consists of the following parts, under the general title Information technology Biometrics Jurisdictional and societal considerations for commercial applications: Part 1: General guidance The following parts are under preparation: Part 2: Specific technologies and p

25、ractical applications ISO/IEC TR 24714-1:2008(E) ISO/IEC 2008 All rights reserved vIntroduction This part of ISO/IEC TR 24714 provides support for the further development of ISO/IEC biometric International Standards in the context of cross-jurisdictional and societal applications of biometrics, incl

26、uding standardization of both existing and future technologies. Specifically, this part of ISO/IEC TR 24714 offers guidance on the design of systems that use biometric technologies to capture, process and record biometric information with regard to societal norms and legal requirements of jurisdicti

27、onal domains (within and among various levels of jurisdictions), pertaining to privacy/data protection of an identifiable individual, with respect to an individuals ability to access and use these systems and the information they contain, with regard to health and safety issues pertaining to an indi

28、vidual when systems are utilized to capture biometric data. In this part of ISO/IEC TR 24714, biometric data are considered to be personal data. The contents of this part of ISO/IEC TR 24714 are recommended practices and guidelines. They are not mandatory. Legal requirements of the respective countr

29、ies take precedence and biometric data should be obtained in accordance with local norms of behaviour. This part of ISO/IEC TR 24714 does not reduce any rights or obligations provided by applicable laws. Compliance with any recommendations in this part of ISO/IEC TR 24714 does not of itself confer i

30、mmunity from legal obligations. Examples of the benefits to be gained by following the recommendations and guidelines in this part of ISO/IEC TR 24714 are enhanced acceptance of systems using biometrics by subjects, improved public perception and understanding of well-designed systems, smoother intr

31、oduction and operation of these systems, potential long-term cost reduction (whole life costs), increased awareness of the range of accessibility-related issues, adoption of commonly approved good privacy practice. The primary stakeholders are identified as users those who use the results of the bio

32、metric data, developers of technical standards, subjects those who provide a sample of their biometric data, writers of system specifications, system architects and IT designers, public policy makers. TECHNICAL REPORT ISO/IEC TR 24714-1:2008(E) ISO/IEC 2008 All rights reserved 1Information technolog

33、y Biometrics Jurisdictional and societal considerations for commercial applications Part 1: General guidance 1 Scope This part of ISO/IEC TR 24714 gives guidelines for the stages in the life cycle of a systems biometric and associated elements. This covers the following: the capture and design of in

34、itial requirements, including legal frameworks; development and deployment; operations, including enrolment and subsequent usage; interrelationships with other systems; related data storage and security of data; data updates and maintenance; training and awareness; system evaluation and audit; contr

35、olled system expiration. The areas addressed are limited to the design and implementation of biometric technologies with respect to the following: legal and societal constraints on the use of biometric data; accessibility for the widest population; health and safety, addressing the concerns of users

36、 regarding direct potential hazards as well as the possibility of the misuse of inferred data from biometric information. The intended audiences for this part of ISO/IEC TR 24714 are planners, implementers and system operators of biometric systems. Specification and assessment of government policy a

37、re not within the scope of this part of ISO/IEC TR 24714. ISO/IEC TR 24714-1:2008(E) 2 ISO/IEC 2008 All rights reserved2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 accessibility biometrics possibility for everyone, regardless of physical c

38、apability or technological readiness, such as people with disabilities, to access and use biometric technologies and services NOTE 1 Access can be gained directly, using assistive technologies or by the use of alternative methods. One should strive to enable direct access by as many subjects as poss

39、ible (inclusive design). NOTE 2 The ISO/IEC JTC 1 Special Working Group on Accessibility defines accessibility as “the usability of a product, service, environment or facility by people with the widest range of capabilities”. 2.2 attendant individual who is present to guide or assist a (data) subjec

40、t in enrolling or verifying their biometric data 2.3 (data) subject individual who provides biometric data for storage or comparison in a biometric system 2.4 function creep mission creep expansion of a project, mission, or systems function beyond its original goals NOTE Function creep is the result

41、 of the intended or unintended change or extension to the functions of a system, which occur as small incremental stages, and can lead to significant changes to the function. 2.5 biometric data manager person within the system operators organization accountable for compliance with the principles con

42、tained in this part of ISO/IEC TR 24714 2.6 proportionality balance between the interests of an individual and the interests of an organisation 2.7 spoofing biometric system presenting a recorded image or other biometric data sample, or an artificially derived biometric characteristic, in order to i

43、mpersonate an individual 2.8 usability extent to which a product can be used by specified users (subjects) to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use NOTE Adapted from ISO 9241-11:1998, 3.1. 2.9 personal data information relating to an id

44、entified or identifiable individual that is recorded in any form, including electronically or on paper ISO/IEC TR 24714-1:2008(E) ISO/IEC 2008 All rights reserved 32.10 jurisdictional domain jurisdiction, recognized in law as a distinct legal and/or regulatory framework, which is a source of externa

45、l constraints on people, their behaviour and the making of commitments between people including any aspect of a business transaction NOTE Adapted from ISO/IEC 15944-5:2008, 3.67. 2.11 biometric data sample data captured from a biometric sensor that can be recorded as a biometric reference for a subj

46、ect or used for comparison with previously recorded biometric reference data to verify or identify a subject 3 Symbols and abbreviated terms PET Privacy Enhancing Technology ICT Information and Communication Technology PDA Personal Digital Assistant 4 Societal and cross-jurisdictional considerations

47、 4.1 Introduction This part of ISO/IEC TR 24714 provides generic recommendations that are not specific to technologies or applications and that can affect all biometrics. This clause begins by providing principles, guidelines and considerations for the design and implementation of biometric systems

48、in three major areas: jurisdictional issues related to privacy and protection of personal information (4.2); accessibility (4.3); and an examination of health and safety issues when using biometric systems that may affect design and implementation considerations (4.4). It continues with a discussion

49、 of usability addressing “real world” issues surrounding biometrics. It considers usability and highlights conditions of the physical environment that may affect the operation and usability of a biometric system (4.5).and continues with the societal, cultural and ethical aspects of biometrics (4.6); and discusses acceptance of the use of biometric characteristics