SIST-TS CEN/TS 17661:2022

SLOVENSKI STANDARD
01-februar-2022
Osebna identifikacija - Evropsko vodilo za vpis biometričnih osebnih dokumentov
(EEG)
Personal identification – European enrolment guide for biometric ID documents (EEG)
Persönliche Identifikation - Europäischer Enrolmentguide für biometrische ID-Dokumente
(EEG)
Ta slovenski standard je istoveten z: CEN/TS 17661:2021
ICS:
35.240.15 Identifikacijske kartice. Čipne Identification cards. Chip
kartice. Biometrija cards. Biometrics
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

CEN/TS 17661
TECHNICAL SPECIFICATION
SPÉCIFICATION TECHNIQUE
November 2021
TECHNISCHE SPEZIFIKATION
ICS 35.240.15
English Version
Personal identification - European enrolment guide for
biometric ID documents (EEG)
Identification des personnes - Guide d'enrôlement Persönliche Identifikation - Europäischer
européen pour les documents d'identité biométriques Enrolmentguide für biometrische ID-Dokumente (EEG)
(EEG)
This Technical Specification (CEN/TS) was approved by CEN on 16 August 2021 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to
submit their comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS
available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in
parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 17661:2021 E
worldwide for CEN national Members.

Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 6
3 Terms and definitions . 6
4 Abbreviated terms . 12
5 Enrolment and use of reference data in a biometric system . 13
6 Enrolment approaches . 14
7 Stakeholder . 15
8 Modality specific guidance . 25
Bibliography . 72

European foreword
This document (CEN/TS 17661:2021) has been prepared by Technical Committee CEN/TC 224 “Personal
identification and related personal devices with secure element, systems, operations and privacy in a
multi sectorial environment”, the secretariat of which is held by AFNOR.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United
Kingdom.
Introduction
Over the past decade, many EU Member States introduced MRTD supported traveller processes. During
this time, lessons have been learned and experience has been gained on several application aspects of
newly introduced technologies. One key component of any MRTD inspection system is the biometric
comparison of the document holder with the reference data. In addition to passports and ID cards,
biometric data are used for documents other than eMRTD as well, including Residence Permits, Visas and
Drivers Licenses. This document aims to compile these lessons learnt and present best practice in
capturing facial and fingerprint images, and to improve the biometric samples at the point of capture
from the enrolee.
During the last few years, biometric comparison algorithms reached new performance levels and even
more improvements can be expected. However, every system can only be as good as the data it is based
on. Therefore, the quality of reference data has superior importance. The better the enrolment of
biometric data, the lower the error rates to be expected in any MRTD based application. Lower error rates
lead to a higher degree of automation, increase throughput and security, improve the traveller
experiences, and, finally, save resources. So, it is worth investing in enrolment of high quality facial images
as well as of fingerprint images.
The enhanced use of new technologies for identity and document inspection means that precise criteria
is set out for the enrolment and inspection processes. The enrolment process for biometric identifiers is
crucial in order to guarantee a successful verification at document inspection. This document presents
guidelines for the enrolment of an enrolee’s biometric face and fingerprint characteristics, which can be
used for identity documents.
With the amendment of Regulation (EU) 2017/458 of the European Parliament and of the Council
of 15 March 2017 amending Regulation (EU) 2016/399 as regards the reinforcement of checks against
relevant databases at external borders (OJ L 74 of 18 March 2017 p.1-7) the following provisions have
been inserted:
— for passports and travel documents containing a storage medium as referred to in Article 1(2) of
Council Regulation (EC) No 2252/2004, the authenticity of the chip data shall be checked;
— where there are doubts as to the authenticity of the travel document or the identity of its holder, at
least one of the biometric identifiers integrated into the passports and travel documents issued in
accordance with Regulation (EC) No 2252/2004 shall be verified. Where possible, such verification
is carried out in relation to travel documents not covered by that Regulation.
This concludes that in case of doubt a verification of the facial or the fingerprint image shall be carried
out. In order to achieve a successful verification, the following guidelines have been developed for
enrolment of these biometric data. The guidelines are intended to assist the responsible parties to achieve
the best quality of biometric enrolment in order to:
— create identity documents with high quality facial images integrated within the document and stored
on the chip in combination with high quality fingerprint images;
— prevent identity fraud by ensuring the integrity of the enrolment process;
— reduce false and increase true matching of facial and fingerprint images.
1 Scope
This document consolidates information relating to successful and high quality biometric enrolment
processes of facial and fingerprint systems, while indicating risk factors and providing appropriate
mitigations. This information supports decisions regarding procurement, design, deployment and
operation of these biometric systems.
This document provides guidance on:
— capturing of facial images to be used as reference images in identity and secure documents;
— capturing of fingerprint images to be used as reference images in identity and secure documents;
— data quality maintenance for biometric reference data;
— data authenticity maintenance for biometric reference data.
The document addresses the following aspects which are specific for biometric reference data capturing:
— biometric data quality and interoperability ensurance;
— data authenticity ensurance;
— morphing and other presentation attack detection as well as other unauthorized changes;
— accessibility and usability;
— privacy and data protection;
— optimal enrolment design.
The following aspects are out of scope:
— IT security;
— data capturing for verification purposes, e.g. in ABC gates;
— capturing biometric data for enrolment in other systems different from data enrolment for
integration in secure MRTD, like entry/exit systems.
This document consolidates the role of the enrolment process in a biometric system and differentiates
the enrolment from the authentication, while mentioning key factors of the enrolment process that are
feature independent.
Interests of the existing stakeholders are broken down and provide an insight on different views of the
enrolment. In addition, organisational enrolment approaches are covered.
This document is not concerned with IT requirements or the capturing of biometric data for inspection,
identification or verification purposes without the required step of creating an identity document using
the captured data.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 17054:2019, Biometrics multilingual vocabulary based upon the English version of ISO/IEC 2382-
37:2012
IEC 61966-2-1, Multimedia systems and equipment — Colour measurement and management — Part 2–
1: Colour management — Default RGB colour space — sRGB
ISO/IEC 10918-1, Information technology — Digital compression and coding of continuous-tone still
images: Requirements and guidelines
ISO/IEC 14496-2:2004, Information technology — Coding of audio-visual objects — Part 2: Visual
ISO/IEC 15444-1, Information technology — JPEG 2000 image coding system — Part 1: Core coding system
ISO/IEC 19794-5:2005, Information technology — Biometric data interchange formats — Part 5: Face
image data
ISO/IEC 2382-37:2017, Information technology — Vocabulary — Part 37: Biometrics
ISO/IEC 39794-4, Information technology — Extensible biometric data interchange formats — Part 4:
Finger image data
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 17054:2019,
ISO/IEC 2382-37:2017 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
3.1
attended capture
acquisition of a biometric characteristic of an enrolee, while providing guidance
Note 1 to entry: Guidance is usually provided by an enrolment officer during live enrolment.
3.2
attendant
person, remote or automated system assisting the enrolment officer in obtaining the best available
quality biometric sample during capture through the procedures defined for enrolees with accessibility
needs or special requirements related to their age, gender, and religious observance
EXAMPLE 1 The automatically adjustable chair, detecting eye positions, while being removable for wheelchair
access.
EXAMPLE 2 Vocal assistance to guide partially sighted enrolees.
3.3
auditor
individual verifying the execution of the enrolment process, capture and registration, by checking against
the enrolment protocol
3.4
automated controlled capture
acquisition of an enrolee’s biometric characteristics, controlled by an automated system, not by
personnel
Note 1 to entry: The most common automated application for facial images is a photo booth.
3.5
biometric enrolee
individual providing a biometric sample to the capture system
3.6
capture
obtain contemporary signal(s) of biometric characteristic(s) from biometric enrolee(s)
3.7
designer and developer
entity designing the capture and/or registration system, service, process and the interaction protocol for
the enrolee
Note 1 to entry: Designer and developer create the service for production and distribution of any token used as
storage for biometric references or a pointer to where biometric references are stored.
3.8
duty officer
individual providing technical and operational advice and guidance to an enrolment officer
3.9
enrolment
action of storage of a biometric capture data record in accordance with the biometric enrolment policy
Note 1 to entry: The process of enrolment is to be distinguished into two subprocesses, capture and registration.
3.10
enrolment authority
national entity being responsible for the capture and registration of biometric features of an enrolee and
being liable for the processed data until the creation of the corresponding identity document
Note 1 to entry: The enrolment authority performs any required quality checks, including data authenticity
checks and enrolee identity validation.
Note 2 to entry: The enrolment authority is responsible for delivering the identity document, regardless how
this process is defined.
EXAMPLE Fraudulent attempts to prevent may be an enrolees claiming to have lost their identity document
and asking for an issuance of a new one, or the enrolee, being in the process of document renewal or creation,
submitting non-matching biometric data.
3.11
enrolment officer
individual interacting with enrolees to provide information regarding the enrolment process and
supporting operators in case of difficulties as the executing part of the enrolment authority
Note 1 to entry: The enrolment officer is responsible for the entire capture and registration process, even if
different personnel and multiple sessions take place.
Note 2 to entry: The enrolment officer’s tasks may differ between capture and registration. The following
examples illustrate possible tasks during each enrolment subprocess.
EXAMPLE 1 During capture, the enrolment officer oversees one or multiple enrolment stations, being
responsible for the secure and effective enrolment service. The enrolment officer ensures the day-to-day
maintenance of equipment used during the enrolment and ensures the quality of the enrolment feature captured
by the sensor or camera, meeting the enrolment standards, usually through requesting the enrolee to re-enrol if the
standard is not achieved, noting any exceptional circumstances. This assistance can be done by a physical person
but also by an automatic enrolment system adaption or video remote assistance.
EXAMPLE 2 During registration, the enrolment officer stores the captured biometric feature to the
corresponding identity of the enrolee. If the capture happened during a different session, a verification of the
enrolee’s biometric feature is mandatory, reducing mistakes or possible angles for an attack.
3.12
facial image
visual representation that includes the frontal part of the head of an enrolee, including hair if any, the
neck, and possibly the top of the shoulders
Note 1 to entry: A facial image may be stored in a digital file or be printed. In cases where the difference matters,
the terms “digital facial image” and “printed facial image” are used, respectively.
Note 2 to entry: The term “facial image” describes the same concept as the term “face image” used throughout
ISO documents.
Note 3 to entry: The terms “facial image” and “portrait” are used equivalently throughout this document.
3.13
facial region
region from crown to chin and from the left ear to the right ear, disregarding the background of the image
3.14
fixed enrolment
enrolment through stationary capture and registration stations set up at one location
3.15
identity document
document issued by a state authority that can be used to prove a person's identity
EXAMPLE National ID card, passport, visa, resident permits.
3.16
imaging system
technical system that reproduces an image
3.17
in-house enrolment
capture and registration performed by the enrolment authority, using the processed data in a business-
oriented application
3.18
Key Performance Indicator
KPI
metric quantifying one or more aspects of the successful operation of a process
3.19
live capture
capture without use of an intermediate medium
3.20
mandatory enrolment
enrolment that is prerequisite for the use of the product or service by any user
EXAMPLE A passport may be a requirement for travelling to different countries. A facial image is a
requirement for a valid passport.
3.21
mobile enrolment
enrolment through moveable capture and registration stations, that can be set up at multiple locations
3.22
morphing attack
abuse of an authentic document, in which the biometric features of the document holder are merged with
biometric features of at least one other person, resulting in a manipulated facial or fingerprint image used
in the ID document that contains biometric features of two or more persons
3.23
multiple location enrolment
capture and registration procedures take place at different locations
Note 1 to entry: Multiple location enrolment may need more sophisticated security measures, due to the split
over multiple sessions, to provide a flawless chain of proof.
3.24
non-professional capture
acquisition of an enrolee’s biometric characteristics in an uncontrolled environment
EXAMPLE The environment is uncontrolled if either camera, lighting, computer or enrolment software is non-
professional or, in case of facial image capturing, a non-professional photographer.
3.25
operator
individual organizing the capture and registration service, being responsible to the enrolment authority
Note 1 to entry: Quality and security of the enrolment service are the key areas of responsibility of the operator.
EXAMPLE If the KPIs, including quality and performance metrics, fall outside the agreed targets, the operator
takes remedial measures.
3.26
optional enrolment
enrolment is no requirement for the use of the product or service by the user
3.27
outsourced enrolment
capture and registration performed by a service provider carrying out the enrolment
3.28
performance manager
individual monitoring the procedure of the capture and registration process, proposing and reporting
back on corrective actions, if the specified criteria are not met
3.29
personal assistant
individual or automated system providing support for the enrolee
EXAMPLE 1 For human assistance: Translation of instructions from the enrolment officer, support for a
handicapped enrolee, fulfilling a legal requirement, such as being present during the enrolment of a child.
EXAMPLE 2 For an automatic capture system adaption: Translation of instructions, age detection.
3.30
photo booth
automated or semi-automated system for digitally capturing facial images, and securely transferring
them to the authority, that encloses the enrolee in a highly-controlled lighting environment, consists of a
camera, lighting, and peripheral devices, and has an entrance protected against ambient light
Note 1 to entry: In some use cases, a semi-automated photo booth can be located in a supervised area with the
operator providing assistance during the capture process. Therefore, the photo booth can be equipped with partial
masking or semi-transparent materials which can be removable.
3.31
photo kiosk
automated or semi-automated system for digitally capturing facial images in a bureau-environment that
consists of a camera and lighting and usually has a separate panel placed behind the enrolee to provide
the required background but is otherwise open
3.32
photo studio
licensed, professional working environment run by photographers, functioning as operators, taking facial
images using professional equipment
Note 1 to entry: Professional equipment usually refers to the camera and lighting setup, being the most relevant
for a compliant portrait.
3.33
printed image capture
physical acquisition of an enrolee’s biometric characteristic, to be scanned and registered by the
enrolment authority
3.34
professional capture
acquisition of an enrolee’s biometric characteristics in a controlled environment
Note 1 to entry: Professional capture of facial images is usually done by a photographer or a properly set up
photo booth.
3.35
registration
operation of (1) processing an application for identity document, and storing and binding a previously
captured biometric feature to a claimed identity, requiring presence of both the enrolee and the
enrolment officer, and (2) verifying the claimed identity matches the enrolee, requiring presence of the
enrolment officer
Note 1 to entry: The two steps, i.e. (1) processing of the application and storage and binding a previously
captured biometric feature to a claimed identity and (2) verification may take place at different places and different
moments depending on enrolment procedures (e.g. verification step may be performed later by dedicated and duly
trained and accredited staff).
3.36
regulator
individual assuring the capture and registration process is operated according to legislation acts, relative
contract documents and instructions
3.37
relying party
entity using the biometric data obtained from the enrolment service in a biometric recognition service as
part of a business-oriented application
3.38
remote enrolment
enrolment through online capture and registration methods, enabling secure data transfer
3.39
secure capture
human or automatic supervised live capture with PAD and no unsecured intermediate storage
3.40
semi-attended capture
acquisition of a biometric characteristic of an enrolee, by one enrolment officer or third party operator
overseeing one or multiple enrolment processes
EXAMPLE 1 A possible third party operator could be a studio photographer.
EXAMPLE 2 One or many enrolment officers using the same capturing environment not directly located at their
workspace.
3.41
Service Level Agreement
SLA
agreement between a service provider and a customer defining a target level of service, mutual
responsibilities of service provider and customer, together with other requirements for the delivery of a
service
3.42
single location enrolment
capture and registration procedures take place at the same location, irrelevant of the chosen session
model
3.43
specialist support staff
trained attendant(s) present at the enrolment session on behalf of the enrolment authority or operator
to assist with the enrolment of enrolees with disabilities, or to fulfil service or legal requirements in
respect of gender, religious observance, or age of the enrolee
3.44
supervised enrolment
enrolment which is observed and/or directed by a human, which may or may not be supported by an
automatic system
3.45
unaware enrolment
enrolment occurring without the enrolee recognizing
EXAMPLE Relevant for surveillance or tracking.
3.46
uncontrolled capture
acquisition of an enrolee’s biometric characteristics without any kind of supervision
3.47
vendor
entity providing hardware, software and technical support for the capture and registration process
Note 1 to entry: The support is either provided directly or through an agent.
EXAMPLE Providing upgrades or rectification of faults.
4 Abbreviated terms
CCTV Closed Circuit Television
CSD Camera to Subject Distance
EVZ Eye Visibility Zone
FAP Fingerprint Acquisition Profile
FMR False Matching Rate
FNMR False Non-Matching Rate
FTAR Failure to Acquire Rate
FTER Failure to Enrol Rate
FTIR Frustrated Total Internal Reflection
GDPR General Data Protection Regulation
IED Inter Eye Distance
KPI Key Performance Indicator
MRTD Machine-Readable Travel Document
NFIQ NIST Fingerprint Image Quality
PAD Presentation Attack Detection
SLA Service Level Agreement
SNR Signal to Noise Ratio
TFT Thin Film Transistor
WSQ Wavelet Scalar Quantization
5 Enrolment and use of reference data in a biometric system
Biometric enrolment systems have many elements in common. Captured biometric samples are acquired
from an enrolee by a sensor. The sensor output is sent to a processor that extracts the biometric features,
the distinctive but repeatable measures of the sample, discarding all other components. The resulting
image or images are registered by the responsible authority and may be used to:
— confirm the identity of an enrolee claiming for renewal; or
— confirm the identity of an enrolee claiming having lost or been stolen its identity document; or
— issue an Identity Document in which they are stored; or
— detect an identity substitution in the course of identity document renewal (e.g. submission of a
morphed biometric data); or
— confirm the identity of the person to deliver the identity document.
Using the collected biometric sample for biometric recognition encompasses both:
— biometric identification;
— biometric verification.
Biometric verification can be used to conduct a 1:1 comparison of a captured biometric template (i.e. the
biometric claim) against one stored on a card, mobile device, or database. Biometric identification can be
used to deduplicate identity records during registration (i.e. to perform a duplicate biometric enrolment
check).
Verification of an identity claim, or confirmation of identity is achieved using a subsequent probe
biometric sample which is compared to the reference one. A decision regarding the biometric claim is
made based upon the similarities or dissimilarities between the features of the biometric probe and those
of the reference compared. For more detailed information about the architecture of biometric systems
see ISO/IEC TR 29196.
6 Enrolment approaches
Enrolment for biometric services can take the form of many differing approaches depending upon
context, complexity, and requirements of the relying party such as:
— the level of security;
— in-house or outsourced;
— live or not live;
— under variable kind of supervision:
— attended;
— semi-Attended;
— automated controlled;
— uncontrolled;
— on site of the enrolment agency or at another location;
— multiple or single location;
— centralized or decentralized data storage and processing;
— professional or non-professional;
— capturing a single modality or multiple biometric modalities in the same session;
— system developed by the public administration or by a private company;
— whether or not it is recorded;
— whether or not it is accredited by the administration;
— mandatory, optional, or unaware; and
— fixed, mobile or remote.
NOTE Some of these enrolment approaches are not covered throughout this document due to lack of quality,
reliability and security, such as non-professional and homemade enrolment.
Designed to provide enrolments for either multiple applications or for a specific application, enrolment
is an expensive part of a biometric service. In order to reduce costs, enrolment may be done for multiple
relying parties at the same time, each with differing business, technical and functional requirements.
EXAMPLE The facial image in a passport could be re-used for a driver’s licence application.
The complexity bandwidth spans from a simple single modality process (against pre-assigned identity),
to a complex process consisting of identity checks using breeder documents, followed by capture of
features relating to multiple modalities and a verification check on the effective operation of the collected
features.
Based upon how the system is influenced by the above factors, there will be different requirements and
operational guidance. From the technical point of view, there is no preference for a specific enrolment
approach. However, any solution shall fulfil the quality and security requirements of this document.
Difficulties in meeting those requirements with, say, mobile enrolment systems are no reason for relaxing
them.
7 Stakeholder
7.1 Enrolment stakeholders
The successful operation of a biometric enrolment service depends on the co-operation of a large number
of stakeholders as listed below. (See also Figure 1 below showing that enrolment officers work on behalf
of the operator, which has a relationship with the enrolment authority; personal assistants support the
enrolee). Note that systems can be far simpler than illustrated, for example, the enrolment authority can
also be the operator of the service, as well as being the relying party.

Figure 1 — Stakeholders at enrolment
The following stakeholder roles are covered throughout this document to fully characterize the
enrolment process:
— attendant;
— auditor;
— biometric enrolee;
— designer and developer;
— duty officer;
— enrolment authority;
— enrolment officer;
— operator;
— performance manager;
— personal assistant;
— regulator and other governance bodies;
— relying party;
— vendor.
7.2 Stakeholder interests
7.2.1 General
There are numerous stakeholders in any biometric enrolment application, most of whom will benefit
from a high quality, securely administered enrolment process with due regard for the needs and
expectations of the enrolees.
For each stakeholder, there are specific reasons why the enrolment service should be effective. This
Clause describes some of the benefits for these stakeholders.
A process for the design, development and deployment of an effective biometric enrolment should
consider numerous issues in a structured manner. The approach favoured in this document is to itemize
these issues against the principal stakeholders who are impacted by each issue. One way of examining
the benefits to a stakeholder is to consider the operation of the enrolment service from a number of
standpoints. Stakeholders will have different perspectives and not every standpoint will be relevant to
every stakeholder:
— appropriateness, effectiveness and efficiency;
— convenience and price;
— look and feel;
— usability, personalisation, adaptation to the local culture and locally spoken languages;
— performance including speed and accuracy;
— operational and environmental aspects;
— maintainability and support;
— security, privacy and transparency;
— cultural and social aspects; and
— legal aspects.
For more details, see ISO/IEC TR 29196.
1)
Guidance on many topics relevant for dealing with stakeholder interests is given in ISO/IEC 24714
Biometrics – Cross-jurisdictional and societal aspects of biometrics – General guidance. This ISO/IEC
standard is not binding for enrolment applications in the EU Member States; however, it offers useful
information relevant to the scope of this document.
7.2.2 Biometric enrolee interests
The enrolee shall be presented with a clear and understandable enrolment process that allows the
enrolee to feel safe and alleviate any concerns. The enrolment process should be effective and all possible
exceptions shall be specified in clear manner. Prior identification of exceptional conditions (e.g. support
for handicapped persons) should be flagged in the application process to allow for adjustments to be
made in advance of enrolment. It is important to ensure that the enrolment process is safe and provides
a satisfactory user experience for the enrolee in order to enhance acceptance of the system. This includes
that technical solutions should be as comfortable as possible within the constraints of application and
enrolment system/process requirements. Any situation where the enrolment can cause discomfort to the
biometric enrolee needs a clear justification. The enrolee shall have easy access to information about the
accessibility, privacy, usability and other consumer-relevant issues associated with the enrolment
process and the biometric system preferably in advance of attending the enrolment session. A process
for the design, development and deployment of a successful biometric enrolment should consider
numerous issues in a structured manner.
On the matter of issues relating to personal privacy and data protection, the reader of this document is
referred to the GDPR as well.
Provided information. Enrolees should be notified:
— about policies including privacy, personal data protection and accessibility;
— on the intended purpose of their collected biometric data, on the storage time frame and on de-
enrolment and data removal;
— on technical aspects including security and data encryption;
— that the security level depends on technology and processes and differs for different applications. In
some applications, biometric technology can lead to specific legal assumptions with respect to non-
repudiation. If this is the case, the enrolee should state that they fully understand and consent to the
consequences of these legal assumptions;
— about a contact point for further information;

1)
Under preparation.
— that they are asked to produce documents that can be authenticated with the enrolment authority to
satisfy the enrolment officer of their claimed identity;
— which biometric data are captured, and that the captured data are only used for the named purpose.
At enrolment, provision of specific information helps enrolees to enrol in the system most effectively (e.g.
whether they should stand or sit in a particular way, and whether there will be wipes or tissues to clean
surfaces and improve the quality of images). Enrolees shall be given the opportunity to supply
information that can impact on the quality of enrolment, some of which can be regarded as personal or
confidential. Recording of such information - and the measures taken during enrolment as a result of this
information - should be undertaken in a secure manner.
Legal implications. Any specific national provision relating to documentation in support of proof of
identity and authentication thereof, privacy, the protection of personal data, accessibility, security, etc.
should be identified and incorporated during the requirements capture phase of the enrolment system
lifecycle. The safeguarding of enrolment data provided by the enrolee in the enrolment system lifecycle
is important, particularly if enrolment data are to be shared between organisations. Therefore,
requirements relating to access, use, disclosure and disposal of enrolment data should be carefully
considered. Different parties, such as commercial and government, may consider legal implications
differently and at times have conflicting requirements for addressing them. Governance procedures
should be implemented that may in turn place specific requirements on audit logs.
Inclusivity. In order to obtain optimal quality biometric data during the enrolment phase, it is
particularly important to ensure that inclusivity issues are addressed. In order to be effective, enough
resources and time should be devoted to train the staff to enrol the enrolee with specialized equipment.
Also to avoid difficulties for the enrolee in attending and completing an enrolment, information should
be provided regarding any accessibility conditions which might result in poor quality outcomes.
Provision should be made for personal assistants including guide dogs accompanying the enrolee to the
enrolment facility and for other means of assistance. Note that the enrolment process can reveal hitherto
unrecognized conditions that can require sensitive handling by the attendants.
Usability. Enrolment systems should be designed for usability. ISO 9241-11 and ISO 9241-210 define
usability as an “extent to which a system, product or service can be used by specified users to achieve
specified goals with effectiveness, efficiency and satisfaction in a specified context of use”.
In general, the enrolment system should attempt to obtain a biometric reference of the best quality for
the target application, consistent with constraints of time allowed for enrolment, costs of arranging the
enrolment and availability of equipment and attendants. Quality is one of the aspects of effectiveness.
This term does not necessarily relate to an aesthetically pleasing captured image. Quality has many
additional dimensions including consistency of presentation or sufficient distinguishing elements in the
image. The process of enrolment should be carried out in ways that enable the enrolees to perform the
task quickly and with as few errors as possible.
User satisfaction includes aspects such as:
— whether the enrolees are intimidated in any way by the equipment or process;
— whether the enrolees can behave naturally, and the system interface is physically and cognitively
ergonomically viable;
— necessary time;
— the extent to which the user interface is designed as intuitive as possible to avoid enrolee discomfort
and frustration; and
— the presence of an attendant (if the enrolment is manual), noting that the demeanour and helpfulness
of the attendant is important.
7.2.3 Enrolment authority interests
For the enrolment authority, its principal objective is ensuring the capture of a representation of the
biometric features of a qualified individual to fulfil the requirements of the relying party’s application
using biometrics. In helping to achieve its objective, the authority should develop an enrolment policy.
NOTE The enrolment authority that enrols the enrolee and the relying party that operates the biometric-
enabled application can be different organizations.
Establishing the legal framework. The enrolment authority should, at an early stage of system design,
determine the legal and social implications, including privacy principles. The enrolment authority should
determine what auditing functions are required. The scope of auditing functions should be defined in
collaboration with relevant and competent national authorities.
Procurement officials and operators should be aware of legal regulations relating to inclusivity; capture
of the relevant requirements at an early stage in the process is likely to lead to cost-effective solutions.
Independent service operation review. The enrolment authority can request an independent review
of the delivery and operation of the enrolment service, both of its security and the biometric performance
- either with a test group of enrolees before the start of an operation of the service, or during its operation
using a representative sample of enrolees. Assessment, testing and reporting the results of such tests for
a biometric enrolment service requires specialized knowledge and experience. Only those organisations
that can demonstrate their credentials in these areas ought to be considered. Testing should be
undertaken against relevant standards (such as those in the multi-part standard ISO/IEC 19795).
Success metrics and failure analysis. Enrolment is normally a prerequisite to operational use of a
biometric system. The quality of enrolments will affect the performance and usability of the operational
system. The enrolee experience at enrolment is likely to affect an enrolee’s perception of the operational
system and of the organization operating the system, which can also have a knock-on effect on the
performance of the operational system. In order to improve the quality of enrolment, it is vital to have
access to data which can be used to monitor the various components of the service, both to ensure that
the service is operating to initially developed performance levels, as well as helping to improve the
service through addressing the most significant elements of the cost/benefit trade-off. This requires that
the design of the biometric enrolment service allows for the right metrics to be collected (and analysed
regularly at various levels of granularity).
The performance parameters divide into two broad categories:
— parameters that relate to the performance of the enrolment service, e.g. failures to enrol, invalid
enrolments, denied enrolments. These are the enrolment failure parameters;
— parameters that affect the performance of the relying party’s operational system using the
enrolments from the enrolment service, e.g. FMR, FNMR, or FTAR. These are (largely) the enrolment
quality-dependent parameters.
The two categories are distinct but interrelated and can be in conflict, e.g. a reduction in the FTER might
lead to an increase in the FNMR. The possibility of conflict can create tension between the enrolment
service and the operations of the relying party which is likely to be amplified in cases where these are
provided by different organisations.
A classification of enrolment failures is suggested in ISO/IEC TR 29196 based upon the definitions
in ISO/IEC 2382-37.
In order to provide the data for such analysis, a requirements capture process should be undertaken
before the design of the enrolment service which will include the following (some
...