Technical Field

[0001] Embodiments generally relate to systems, methods, and processes that may receive, process, store or share the biometric data of a person. In particular, embodiments relate to check-in systems and methods and more particularly to self- service (and automated) check-in systems and methods.

Background

[0002] Services and businesses are collecting ever greater amounts of personal data from people as technology becomes ubiquitous in more areas of society and human life. Biometric recognition is also becoming an increasingly common option for use in cases where identity verification is needed. Biometric data is stored and applied in diverse use cases, from innocuous uses like fingerprint recognition for clock-in at workplaces or facial recognition to match a passport photo to the person at a counter, to more sensitive applications like DNA sequencing, gait recognition and face recognition using public-area CCTV to identify persons of interest to law enforcement.

[0003] As a result of these use cases, personal biometric data is being stored by a plethora of businesses and governments in greater volumes than ever before, but often without any attached privacy or consent controls, including how long that data may be stored for, and how it may be used.

[0004] Information about these privacy and consent controls is often not exposed or made available to the person from whom the data has been collected. Privacy policies are often used by businesses to declare what personal data is collected on a person. However, this is often found lacking in situations where one business purchases another. As an example, the Australian Privacy Act 1988 does not consider the sale of a whole business that happens to hold personal data to be a transfer of personal data, and is therefore not subject to the Privacy Act.

[0005] This represents a personal data security risk for people from whom sensitive biometric personal data is collected due to the rapid proliferation of biometric data collection and the comparatively lax regulatory controls around how long and in what circumstances the data is held considering the highly sensitive nature of the data. As more and more businesses and services collect this data and as it subsequently changes hands over time, then the original consent that the person gave may no longer be considered, and at such point there is no effective method for a person to find who holds their data at any one time or to manage the use of that data.

[0006] It is desired to address or ameliorate one or more shortcomings or disadvantages associated with prior techniques for biometric data consent management, or to at least provide a useful alternative thereto.

[0007] Throughout this specification the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated element, integer or step, or group of elements, integers or steps, but not the exclusion of any other element, integer or step, or group of elements, integers or steps.

[0008] Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is not to be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present disclosure as it existed before the priority date of each of the appended claims.

Summary

Some embodiments relate to a self-service check-in system, comprising: at least one processor; memory accessible to the at least one processor; a user interface controlled by the at least one processor and including a display to perform a check-in process; and a human biometric data capturing (HBDC) device to capture biometric data of a person proximate the display. The at least one processor, when executing instructions stored in the memory, may be configured to: receive personal identifying information of the person via the user interface, receive captured biometric data of the person, and receive an expiry period of the biometric data via the user interface. The expiry period defines an expiry time at which the biometric data is to be deleted.

[0009] The HBDC device may include a camera facing a same direction as the display. The camera may be configured to capture at least one of: RGB images; or infra-red images. The HBDC device may include a thermal imaging camera to capture a thermal image simultaneously with capture of the biometric data. The thermal imaging camera may be configured to capture low resolution thermal images. The at least one processor may be configured to make a liveness determination based on the captured thermal image.

[0010] The at least one processor may be configured to transmit the personal identifying information, the captured biometric data and the expiry period or expiry time to a check-in facilitation server for storage.

[0011 ] The personal identifying information may include or consist of: a person name; and a mobile phone number; optionally wherein the person name includes a first name and a last name.

[0012] The HBDC device may include a finger print reader, a hand reader, an iris reader, or a gait analysis module.

[0013] The at least one processor may be in communication with an automated barrier system and may be configured to transmit a control signal to the automated barrier system to cause a barrier of the automated barrier system to open.

[0014] The system may include or form part of a hardware installation at a location requiring check-in for admission or passage, the hardware installation including a computing device that includes the at least one processor, the memory, the user interface and the HBDC device. The automated barrier system may be part of the hardware installation.

[0015] The system may further comprise a check-in facilitation server in communication with the computing device, the check-in facilitation server configured to store a check-in record for each person for which the check-in facilitation server receives personal identifying information, biometric data, an expiry period or expiry time and location information identifying a check-in location of the computing device.

[0016] The check-in facilitation server may be configured to transmit the personal identifying information and the location data to a check-in repository, and to withhold from transmitting to the check-in repository the biometric data or the expiry time.

[0017] The system may include a mobile personal computing device, for example as the check-in system or part of the check-in system.

[0018] Some embodiments relate to a check-in facilitation method executed by a server system, comprising: receiving at the server system check-in data including personal identifying information of a person, check-in location information, biometric data of the person and a user-specified expiry time of the biometric data; storing by the server system the personal identifying information, the check-in location information, the biometric data and the expiry time in a record in a data store accessible to the server system; determining whether the expiry time has passed; and deleting the stored biometric data in response to determining that the expiry time has passed.

[0019] The method may further comprise: transmitting the personal identifying information and the check-in location information from the server system to a check-in data repository that is separate from the server system. The method may further comprise: transmitting a message confirming deletion of the biometric data to a contact endpoint specified in the personal identifying information. [0020] The method may further comprise: in response to determining by the server system that an expiry time has not passed, and a current time is within a reminder period prior to the expiry time, transmitting an expiry reminder to a contact endpoint specified in the personal identifying information. The expiry reminder may include an active link to content accessible via a client computing device to allow user modification of the expiry time.

[0021] The method may further comprise receiving at the server system in response to transmitting the link modification information indicating a modified expiry time and storing in the data store the modified expiry time as the expiry time.

[0022] Some embodiments relate to a method for a person enrolling their biometric data in a biometric database to specify how long they permit the data to be held for by that database. The time period specified for how long that data may be held may be referred to as the ‘retention period’ or ‘expiry period’ . A server system that has access to the database shall periodically check all records of biometric data in the database to verify if any of the records have expired beyond their designated retention period. Any records found to be older than the retention period shall then be deleted from the database by the server system.

[0023] The system may optionally periodically check for any records with an upcoming retention expiry and notify the user of the impending deletion to allow the user to specify a new retention period so that the record is not deleted as soon.

[0024] The system may optionally provide a method for a person to view and access the currently specified retention period for their biometric data, and then choose to modify that retention period to extend it to a later date, or change it to a closer date. The system will then honour that new set retention period instead of the previously set period.

[0025] The system may optionally provide a method for a person to view and access the records currently stored that are within retention period and choose at that time to delete them on-demand. This will trigger the system to delete the record immediately rather than waiting for the system- initiated periodic check.

[0026] Once a record has been deleted the user must re-perform any actions required to create and store their biometric data once again. A deleted record will be deleted by the server and/or data store in a way that it should not be able to be recovered to be used again.

Brief Description of Drawings

[0027] Figure 1 is a block diagram view of a check-in system and network according to some embodiments;

[0028] Figure 2 is a block diagram view of a check-in system according to some embodiments;

[0029] Figure 3 is a flow chart of a check-in process according to some embodiments;

[0030] Figure 4 is a flow chart of a biometric data matching process according to some embodiments;

[0031] Figure 5 is a flow chart of a biometric data deletion process according to some embodiments;

[0032] Figure 6 is a flow chart of a biometric data interaction process according to some embodiments;

[0033] Figure 7 is a further flow chart of a biometric data interactions process according to some embodiments; and

[0034] Figure 8 is an example diagram of client devices accessible to a user according to some embodiments. Description of Embodiments

[0035] Embodiments generally relate to systems and methods for receiving, processing, storing or sharing the biometric data of a person. In particular, embodiments relate to check-in systems and methods and more particularly to self- service (and automated) check-in systems and methods. In the disclosed embodiments, a user may initiate a check-in process, such as checking in to an airport, public transport terminal, sports stadium, or other venue, by interaction with a check-in device having a biometric data capturing device. The biometric data capturing device may comprise a camera, handprint sensor, thermal imaging device, any combination thereof, or some other device capable of receiving biometric data from the user. The biometric data is then associated with a user profile on a data store. As part of the interaction, the user can then specify the period of time in which their biometric data is held, after which the data is to be deleted. In some embodiments, the user may receive subsequent notifications confirming whether or not to allow their biometric data to be deleted, or whether it should be retained.

[0036] Figure 1 is a block diagram view of a check-in network 100 according to some embodiments. The network 100 comprising a client device 140, in communication with a server system 120 via a network 113. The server system 120 is in communication with a data store 125. The network 100 further comprising a check-in device 110. The check-in device 110 may be in communication with an automated barrier system 118. The automated barrier system 118 may operating a gate 119 or other barrier accessible to a user 102 to permit access or passage to a place or destination.

[0037] The client device 140 may further comprise a browser application 144, user interface 146, and camera 147. In some embodiments, the client device 140 may comprise a smartphone or tablet device, configured to be accessible to a user 102 by the user interface 146. The user interface 146 may comprise a touchscreen, and/or a keyboard device. The camera 147 may be a RGB digital video camera. [0038] The network 113 may comprise at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, some combination thereof, or so forth. The network 140 may include, for example, one or more of: a wireless network, a wired network, an internet, an intranet, a public network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a pub lie- switched telephone network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, some combination thereof, or so forth. Client device 140, server system 120, and check-in device 110 may all be connected to communicate with each other via network 113.

[0039] Server 120 may comprise one or more computing devices configured to share data or resources among multiple network devices. Server 120 may comprise a physical server, virtual server, or one or more physical or virtual servers in combination.

[0040] Data store 125 may comprise a data store configured to store data from network devices such as client device 140 and/or check-in device 110. Data store 125 may comprise a virtual data store in a memory of a computing device, connected to network 140 by server 150.

[0041] Check-in device 110 may comprise a tablet device, smartphone device, or other computing device configured to capture biometric data of a user 102 using biometric data capturing device 115, when the user 102 is proximate to the check-in device 110. The check-in device 110 may be fixed in place at a site proximate to the automated barrier system, to allow a user 102 to interact with the device 110 to gain entry by the actuation of the gate 119.

[0042] Figure 2 is a block diagram view of a check-in system 110 according to some embodiments, comprising a check-in device 110 in communication with a server system 120, the server system 120 in communication with a data store 125. [0043] In the embodiment illustrated in Figure 2, the check-in system 110 comprises a controller 212, wireless communication device 230, user interface 225, and biometric data capturing device 115.

[0044] Wireless communication device 230 may comprise a wireless Ethernet interface, SIM card module, Bluetooth connection, or other appropriate wireless adapter allowing wireless communication over a network. Wireless communication device 230 may be configured to facilitate communication with external devices such as client device 140 and server 150. In some embodiments, a wired communication means is used.

[0045] User interface 225 is configured to allow a user to initiate and interact with a check-in process. User interface 225 may comprise a display screen 235. Display screen 235 may be a touch screen display.

[0046] Biometric capturing device 115 may comprise a camera 240, handprint sensor 245, thermal imaging device 250, any combination thereof, or other device capable of receiving biometric data from a user 102.

[0047] Camera 240 may comprise a digital video camera (DVC), arranged to capture images of an area from which the check-in device 110 is accessible. In other words, the camera 240 captures images from a facing direction that is the same direction that the display screen 235 faces. The camera 125 may have an image resolution of about 1280x720 pixels (known as 720p) or greater, for example. The display resolution of the display screen 235 may be less than the image resolution of the camera 240. However, various suitable levels of resolution can be used for display screen 235.

[0048] Thermal imaging device 250 may be a low resolution thermal camera, configured to determine whether a person is in view of the check-in device. This may allow for improved operability, particularly in environments with many people in the surrounding area. Furthermore, the detection of a thermal presence in an image can be used as the basis for a determination that a user 102 is using the check-in device 110, and that an image of a person is not being held up to the check-in device.

[0049] Handprint sensor 245 may be a device capable of reading fingerprints and/or handprints of user 102.

[0050] The controller 212 comprises a processor 205 in communication with a memory 210 and arranged to retrieve data from the memory 210 and execute program code stored within the memory 210.

[0051] Processor 205 may include more than one electronic processing device and additional processing circuitry. For example, processor 205 may include multiple processing chips, a digital signal processor (DSP), analog-to-digital or digital-to-analog conversion circuitry, or other circuitry or processing chips that have processing capability to perform the functions described herein. Processor 205 may execute all processing functions described herein locally on the device 110 or may execute some processing functions locally and outsource other processing functions to another processing system, such as server system 120.

[0052] Memory 210 may include random access memory (RAM). This RAM may be volatile memory, where appropriate. Where appropriate, this RAM may be dynamic RAM (DRAM) or static RAM (SRAM). Moreover, where appropriate, this RAM may be single-ported or multi-ported RAM. This disclosure contemplates any suitable RAM. Memory 210 may include one or more memories 210, where appropriate. Although this disclosure describes and illustrates particular memory, this disclosure contemplates any suitable memory.

[0053] The memory 210 may further comprise executable program code that defines a communication module 213, user interface (UI) module 214, and biometric data processing module 215. [0054] Communication module 213 may comprise program code, which when executed by the processor 205, implements instructions related to initiating and operating the wireless communication device 230. When initiated by the communication module 213, the wireless communication device 230 may send or receive data to or from server system 120. Communication module 213 may be configured to package and transmit data generated by the UI module 214 and/or retrieved from the memory 210 a client device 145, and/or to server system 120.

[0055] Biometric data processing module 215 may comprise video face identification module 216, handprint identification module 218, and thermal image processing module 220.

[0056] Video face identification module 216 may comprise a code module, which, when executed by the processor 205, identifies and extracts biometric data from the face 105 of a user 102 in a digital image captured by camera 240. This data may include the arrangement and/or size of facial features, used to identify a person with a high degree of confidence.

[0057] Handprint identification module 218 may comprise a code module, which, when executed by the processor 205, identifies and extracts biometric data from the hand of a user when placed upon handprint sensor 245. This data may include the size/shape of a user’s 102 handprint, and/or the key features of their fingerprints or handprints.

[0058] Thermal image processing module 220 may comprise a code module, which, when executed by the processor 205, identifies and extracts biometric data from thermal images captured by thermal imaging device 250. This data may comprise temperature data indicative of a person being proximate to the check-in device 110.

[0059] Figure 3 is a flow chart of a check-in process according to some embodiments. In this embodiment, the check-in device 110 detects whether a user 102 is in view of the check-in device at step 305. At step 310, if the person is positioned to provide biometric data by the biometric data capturing device 115, the device 115 then captures the user’s 102 data. If the user 102 is not positioned correctly, the display screen 235 may direct the user 102 to reposition.

[0060] At step 302, a user’s 102 biometric data is captured by the biometric data capturing device 115, and then processed by the relevant modules within the biometric data processing module 215. This processed biometric data is then sent to server system 120 at step 325, by the processor 205 sending instructions to wireless communication device 230.

[0061] At step 330, the server system 120 then checks data store 125 and returns a comparison result at step 330 to the server system 120. At step 335, the server system 120 then determines whether the received data matches with data stored within the data store 125. If the data is determined to match, within a degree of accuracy, a user is then considered authorised. The server system 120 may then send an authorisation message to the check-in device 110 to indicate that the person is authorised to pass the barrier or gate 119. The check-in device 110 may then automatically send a control signal to the automated barrier system 118 to open the barrier or gate 119 to allow access to user 102 at optional step 345.

[0062] If the biometric data is not determined to match, at step 335, then a user’s 102 name and phone number are requested by the check-in device 110, at display screen 235, at step 350. These details are subject to a validity check by check-in device 110 at step 355, which, if failed, cause the check-in device 110 to deny check-in or deny entry to the user at step 360.

[0063] If the user’s name and phone number are determined to be valid at step 355, then their further input is requested at step 365, in order to provide an expiry period or an expiry time of the biometric data at step 365. The expiry time may be calculated from adding the expiry period to the current time. This expiry period may comprise 2 hours, 6 hours, 8 hours, 12 hours, 24 hours, multiple days, 6 months, 12 months, for example, or other time periods. At step 370, this user- specified expiry time is recorded and sent to server system 120. The expiry time may then be timestamped and associated with the biometric data and personal data, and sent to server system 120 to be stored on data store 125.

[0064] Figure 4 is a flow chart of a biometric data matching process according to some embodiments. At step 405, the server system 120 receives from the check-in device 110 a location of the check-in device 110 and captured biometric data. At step 410, the server system 120 queries data store 125 to determine if the received biometric data matches existing records.

[0065] If the biometric data matches existing records, at step 430 the check-in device 110 is notified of a match by the server system 120. At step 435, the server system 120 then generates and transmits check-in data, excluding the biometric data and the expiry time, to a check-in data repository in data store 125.

[0066] If, at step 410, the biometric data does not match an existing record, then the server system 120 notifies the check-in device 110 at step 415. At step 420, the checkin device 110 then requests from the user (person 102) personal identifying information and a user-specified expiry time for the biometric data. Once the check-in device 110 receives the personal identifying information and the user-specified expiry time from the person 102, that information and expiry time is then transmitted to server system 120 by check-in device 110.

[0067] At step 425, the server system 120 then stores personal identification data, biometric data, and expiry time in a record in the data store 125 associated with the person’s name and user-specified contact endpoint (usually a mobile phone number).

[0068] Figure 5 is a flow chart of a biometric data deletion process according to some embodiments. At step 505, the server system 120 may query the data store 125 to check the expiry time of stored biometric data. At step 510, if the expiry time of a user’s 102 data is less than a reminder period away from the current time, a reminder flag may be set at optional step 520. At step 525, the server system 120 sends a reminder to a client device 140 or personal computing device with a link to update the expiry time. At step 530, the linked content is served to browser application 144 on the client device 140, to allow an update of the expiry time. At step 535, a new expiry time is recorded and updated on the data store 125 by server system 120, and the process moves to step 515 to determine whether the expiry time has passed.

[0069] If, at step 510, the expiry time is greater than a reminder period away from the current time, then the server system 120 queries data store 125 to determine if the expiry period has passed at step 515. If the expiry time has passed, a deletion flag may be set at optional step 545. At step 550, a process to delete the biometric data is initiated by server system 120, and the server system 120 sends a notification to a client device 140 at step 555 prompting a user to confirm the deletion of their biometric data.

[0070] Figure 6 is a flow chart of a biometric data interaction process according to some embodiments. At step 605, a user 102 accesses a personal data update URL on client device 140. At step 610, the client device 140 is served code to receive personal identification information, and to trigger biometric data capture by a component of client device 145. This component may be a fingerprint sensor, front-facing camera, or other component.

[0071] At 615, personal identification information and captured biometric data is received by server system 120, sent by client device 140. At step 620, the server system 120 determines whether this data matches existing records in data store 125. If the data matches, code is served to client device 140 to display the expiry time of the data, and allow the user 102 to update the expiry time if desired. If the data does not match existing records, the user 102 is notified of this on client device 140 at step 622.

[0072] At step 630, the server system 120 determines whether a user has issued a deletion request regarding their biometric data. If so, then the biometric data within data store 125 is deleted by server system 120, and the server system 120 sends confirmation of deletion to the client device 140. Otherwise, at step 635, if no deletion request is received, an updated expiry time is sent from client device 140 and stored in data store 125.

[0073] The term ‘biometric data’ used in the context of the specification, may refer to any data which is collected about or from a person that can be used to uniquely identify them by their biological traits. This can include, but is not limited to, biometric data including facial, iris, fingerprint, palm print, walking gait, and other types of biometric traits.

[0074] The term ‘retention period’ or ‘expiry period’ is used in the context of the specification, may refer to the amount of time specified by a person from when the biometric data is collected and stored, to when the data is requested by the person to be deleted from the system. This may be referred to by a particular date and time for when the data should be deleted. In this example, the biometric data may be collected on 1 ^st January 2021 and the user may specify that the biometric data should be deleted on 1 ^st June 2021. The retention period may be defined by a difference between a time stamp at which the biometric data was first captured and a user-specified expiry time. It may alternately be referred to by a number of units of time like number of years, months, days, hours, minutes. In this example the biometric data may be collected on 1 ^st January 2021 and the user may specify it can be held for 30 days, resulting in the data being deleted once 30 days from 1 ^st January 2021 has elapsed.

[0075] The term ‘retention period expiry’ or ‘expiry time’ in the context of the specification, may refer to the moment in time where a person- specified retention period has elapsed beyond the nominated date or period of time. Any biometric data held beyond the retention period expiry will be automatically deleted by the system.

[0076] The term ‘enrolment’ or ‘user enrolment’ used in the context of the specification may refer to the process of converting the captured biometric data to a format which can be stored and reused for various purposes at a later date. For example, when describing facial biometric data, the enrolment stage may involve transformation or tokenisation by the check-in device 110 (or optionally server system 120) of one or more photos of a person into a set of descriptive values. The set of descriptive values may include, but is not limited to, coordinates or measurements of the size and distance between facial features and landmarks, which can result in a ‘token’ or ‘tokenised data’ that is the descriptive dataset of the person’s face rather than the raw image of a face. The token or tokenised data is then used in subsequent uses, for example for comparison purposes. The raw image of the face may be optionally stored but may no longer be required by the system.

[0077] Figure 7 depicts the process undertaken by a user using the system 100, according to some embodiments, showing the steps from the capture and storage of biometric data and retention period through to the automated deletion of the data once the retention period has elapsed. The biometric data is first collected or captured from the user (1) in addition to the data retention period as specified by the user (2). The data retention period is stored with the biometric data and the two pieces of data shall always be linked. The storage of this data into the user biometric database (4) is described as the enrolment stage (3). A continuous separate process is running periodically and, when initiated, begins by querying the user biometric database for any records with a retention period that has elapsed beyond the current time (5). Any records that have not reached retention period expiry are ignored by the process as no action is needed (6b). Any records that have reached the retention period expiry are then deleted by the process (6a) from the user biometric database.

[0078] Figure 8 is a schematic illustration to depict some example embodiments of client devices, accessible to a user 102, allowing the user to update biometric data expiry times on data store 125.

[0079] Various embodiments relate to system and methods for the capture and storage of a person’s biometric data, for example as part of a check-in process. The check-in process may be for gaining access or passage to or through a location. For example, the location may include an entertainment location, a transport location, a health care location, a conferencing location or an education location, for example. [0080] Some embodiments relate to a method for allowing a person to specify the period of time that their personal biometric data should be stored by the check-in system at the time that the biometric data is first captured and stored by enrolment into the system.

[0081] Some embodiments relate to a method to allow a person to view the retention (expiry) period that they had previously selected during enrolment.

[0082] Some embodiments relate to a method to allow a person to modify the desired retention (expiry) period of the biometric data after initial enrolment.

[0083] Some embodiments relate to a method to allow a person to view the currently specified retention (expiry) period if they have modified the retention period after initial enrolment.

[0084] Some embodiments relate to a method to allow a person to request immediate deletion of all biometric data that has been stored for that person for check-in purposes.

[0085] Some embodiments relate to a system and methods including, but not limited to, executable program code that, when executed by a computer processor, causes the processor to:

[0086] Provide a digital user interface for the person to specify, view and modify the currently selected retention period for their biometric data;

[0087] Update the currently stored retention period to a new value if the person changes their desired retention period;

[0088] Delete automatically any stored biometric data where the retention period selected by the person has elapsed beyond the current date or time;

[0089] Retain automatically any stored biometric data where the retention period selected by the person is later than the current date or time; and/or [0090] Perform automatically the check to validate and compare the selected retention period against the current date or time in a configurable recurring time period that may be hourly, daily, or other regular time periods;

[0091] It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the above-described embodiments, without departing from the broad general scope of the present disclosure. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.