Personal data for secondary purposes
In this chapter we describe the use of personal information for secondary purposes.
About “secondary” and “primary” purposes
In the context of this project, “secondary purposes” refers to the use of personal information beyond the primary purpose – which is the enrolment to the e-ID-service and the following identity verifications.
The secondary purposes mentioned in this report are all known to the controller at the time when the information is first collected. We therefore assume that the personal information will initially be collected for both the primary and the secondary purposes mentioned in this report. Thus, Article 6(4) GDPR regulating processing for new purposes will not apply.
Mobai’s secondary purposes include:
- Implementing improvements to the prediction accuracy for capture modules, face comparison and fraud detection algorithms, including:
- training algorithms,
- identifying unknown fraud types to improve algorithms and
- improving security and make general improvements to the service
- Conducting fraud investigation after real-time sessions (e.g., in case of a dispute)
- Providing evidence for law enforcement, if and when required by law
- Bias reduction
The information that is stored for secondary purposes include:
- The live image, i.e., “selfie”
- Various device- and session-related data
Mobai consider themselves controller for the secondary purposes related to making improvements to the algorithms, and bias reduction. For the secondary purposes related to fraud investigation in case of a dispute, and providing evidence for law enforcement, Mobai initially considered themselves data processor.
In a later chapter of this report, we take a closer look on the differences between primary and secondary processing in the SALT-solution. In that regard, we look at the purpose related to training and making improvements to the algorithms and the system as such (the first of the four bullet points above). The purposes mentioned in the other three bullet points have not been part of the scope of this sandbox project. However, when it comes to bias reduction, there has been a relevant project in the regulatory sandbox of the Information Commissioner’s Office (ICO) in the UK on this issue.
For further reading, see the Onfido Regulatory Sandbox Final Report at ico.org.uk.
Central storage
Mobai will store the data used for secondary processing in a secure server environment with physical security measures. The data will be encrypted using conventional methods (not homomorphic encryption) and stored in a dedicated environment separated from the service offerings, where the risk of misuse and data leakage is mitigated. This is to ensure that only authorised personnel have access. Mobai may provide sharing of session data with business partners in live operations.
Storage time
In the SALT-solution, Mobai will retain personal data for 180 days from the moment the initial result of a verification transaction is passed to the merchant to allow for machine learning and improvement of the fraud detection systems. An exception is the data gathered for the training of algorithms. These will be stored for a full year, in order to acquire a high enough number of samples to ensure efficient training.