Biometric data is any information derived from a person's unique physical or behavioural characteristics that can be used to identify them, such as facial geometry, fingerprints, iris patterns, voice prints, or keystroke dynamics. In online proctoring and identity verification, biometric data typically arises when a webcam image is processed to extract a face template for matching, or when typing patterns are analysed to confirm that the same person is present throughout an exam. Biometric data is classified as special-category personal data under GDPR Article 9 — alongside health data and racial or ethnic origin — meaning its processing requires an explicit legal basis, generally explicit consent. This classification imposes stricter obligations than those applying to ordinary personal data, including data protection impact assessments and, in many jurisdictions, prior consultation with a supervisory authority. In the United States, Illinois's Biometric Information Privacy Act (BIPA) is the most stringent state law governing biometric data collection and imposes significant penalties for violations; similar laws exist or are pending in other states and jurisdictions. Documented bias in facial recognition algorithms — where accuracy rates differ across skin tones, genders, and age groups — means biometric-based proctoring carries a real fairness risk that system designers must address through regular bias auditing, fallback procedures, and transparent reporting. Data minimisation principles require collecting only the biometric signals strictly necessary for the stated purpose, storing them for the minimum period required, and deleting them on schedule rather than accumulating a growing biometric database.
