Standards Development

Scope

This standard establishes recommendations and requirements for remote biometric identification systems including both real-time and ex-post, including AI-based systems:

1. Technical solutions to be implemented in the design and development phases in relation to the following:

o appropriateness of training and testing datasets and data management practices for the intended purpose;

o logging capabilities enabling the automatic recording of events (‘logs’) while the system is operating;

o provision of information to instruct the operator of the system and information for appropriate use;

o human oversight measures, enabling the system to be effectively overseen and managed during the period of use;

o accuracy, robustness and cybersecurity.

2. The standard also establishes requirements on development practices:

o Risk management process to be implemented by the provider when designing and developing the system, notably in relation to the identification and implementation of solutions described under point (1)

o Quality management systems to be implemented by the provider in its organisation, including a system for post-market monitoring

3. The standard also establishes requirements on post-deployment tests and audit of the systems, including:

o Verification and testing procedures to assess whether the deployed system is proportionate and fitfor- purpose against the requirements given in point (1);

o Verification and testing procedures to assess the biometric recognition components are fit-forpurpose against the requirements given in point (1);

o Verification procedure to control the appropriateness of the quality management system measures and processes, as described under point (2).

While the emphasis is on surveillance systems, other types of remote biometric identification systems are in scope, regardless of biometric modality or sensing technology. Not in scope are personal authentication systems, and other types of voluntary, opt-in, systems.

Note: This scope includes both technical biometric aspects and management systems aspects, as discussed on page 7. The latter will be developed as a sector-specific extension of ISO/IEC 42001 AI - Management System. 

Purpose

On 21 April 2021, the European Commission put forward a proposal for a regulation laying down horizontal harmonised rules for the placing on the market, putting into service and use of high-risk AI systems. It is the first-ever proposed regulation in the field of AI, aiming at building appropriate standards for safe and human-centric AI.

Under the new proposed rules, all AI systems intended to be used for remote biometric identification of persons will be considered high-risk and subject to an-ex ante third party conformity assessment including documentation and human oversight requirements by design. High quality data sets and testing will help to make sure such systems are to the extent possible accurate and minimise discriminatory impacts on the affected population. This is recognized for generic AI in ISO/IEC 5259 which notes that “data-driven decisions with big data bring new challenges to data quality management in data analytics and artificial intelligence (AI) based on machine learning (ML). Poor data quality, such as incomplete, false, or outdated data, can disable effective and efficient processes of data analytics and ML and even prevent useful or valuable findings.”

The requirements of the new proposed regulation set high-level technical objectives to be achieved, while leaving the operationalisation of those requirements primarily to standards.

Building on this regulatory initiative, a standard on remote biometric identification would thus not only facilitate the demonstration of compliance of operators with the upcoming legal framework in the EU but also pave the way to a world-reference standard in a sector, where concerns related to privacy protection and accurate performance necessitate strong guidelines and harmonised practices.