Biometric AI in Refugee Registration: UNHCR BIMS, IrisGuard, and the Privacy Debate

Why biometrics ended up at the centre of refugee registration

Refugee registration has always faced the same hard problem: how to provide a durable, fraud-resistant identity to a population that often arrives without documents and whose social ties may not survive the displacement. The answer that the sector converged on in the 2010s was biometrics. UNHCR's Biometric Identity Management System (BIMS) has been the global standard since 2015. WFP's SCOPE platform integrates biometrics with food assistance. IrisGuard, used in the Zaatari and Azraq camps in Jordan for cash withdrawals at ATMs, made iris-based authentication a familiar daily experience for hundreds of thousands of refugees.

What the technology actually does

BIMS captures ten fingerprints, two iris images, and a facial photo per registered individual. Matching is one-to-many against the agency's own database and, in some country contexts, one-to-one against partner systems. The AI layer is straightforward by 2026 standards: well-understood matching algorithms operating on standardised templates, with measurable false-match and false-non-match rates. The harder work is operational — capture under field conditions, deduplication at scale, and integration with partner systems.

The benefits the published evidence supports

Three benefits recur in evaluations. Deduplication: biometric registration reduces double-registration in operations where it is a serious issue, freeing assistance for additional unique beneficiaries. Portability: a biometric identity travels with the refugee across border movements without depending on documents that may be lost or confiscated. Service access: cash withdrawal, food collection, and health-record retrieval can be authenticated without a physical card, which matters for populations whose belongings are repeatedly lost.

The harms and risks the literature documents

The harms cluster in three areas. Function creep: biometric databases collected for humanitarian registration have, in documented cases, been requested by host-state authorities and by countries of origin. The Human Rights Watch 2021 report on UNHCR data sharing with Bangladesh and Myanmar was the most consequential public case. Consent under duress: the practical meaning of 'informed consent' when registration is the gateway to food assistance is contested. Exclusion errors: matching failures (worn fingerprints, eye conditions, capture errors) can deny service if there is no manual fallback.

The governance frame in 2026

Three reference documents define current practice. The UNHCR Data Protection Policy (revised 2022). The ICRC Handbook on Data Protection in Humanitarian Action (third edition 2024). The IASC operational guidance on data responsibility. All three converge on: purpose limitation, data minimisation, refusal-without-penalty as the practical test of consent, and prohibition of transfer to third parties whose use is not compatible with the original protection purpose. Compliance is uneven.

What reporters and oversight bodies should ask

• What biometric data is collected and from whom?
• What is the legal basis and consent mechanism?
• Who can the data be shared with, under what conditions?
• What is the manual fallback when matching fails?
• How long is data retained, and how is deletion verified?
• Has the system been audited externally, and by whom?

Further reading and primary sources

• UNHCR registration and BIMS: https://www.unhcr.org/registration
• WFP SCOPE: https://www.wfp.org/scope
• UNHCR Data Protection Policy: https://www.unhcr.org/data-protection
• ICRC data protection handbook: https://www.icrc.org/en/data-protection-humanitarian-action-handbook
• HRW on Rohingya data: https://www.hrw.org/news/2021/06/15/un-shared-rohingya-data-without-informed-consent
• The Engine Room on biometrics: https://www.theengineroom.org/