Biometric Identity for Refugees and Stateless Persons: APAC Policy 2026

Executive Summary

Approximately 108 million persons globally lack legal identity documents; in APAC, ~34 million are stateless or refugees. Biometric registration offers inclusion pathways but creates surveillance and deportation risks. UNHCR's 2024 framework emphasises consent-based registration and data protection; India's Aadhaar programme demonstrates large-scale inclusion (eligibility expanded to non-citizens in 2023); ISO/IEC 19794 standards enable interoperable identity systems; Pacific Islands face acute digital-identity gaps, complicating remittances and financial access. Tensions persist between humanitarian inclusion and state sovereignty: who controls identity data, how long is it retained, and under what conditions can it be shared with authorities?

UNHCR Biometric Framework and Self-Determination Principles

The United Nations High Commissioner for Refugees (UNHCR) issued the Handbook on Self-Identification and Biometric Registration in 2024 (updated April 2026) [Source: UNHCR Self-Identification Handbook, 2024/2026]. The framework represents the closest to a global standard for refugee identity management.

Core principles:

Consent and transparency: Individuals must consent to biometric collection; they must be informed of data use, retention periods, and sharing arrangements.
Minimal data collection: Register only biometrics (fingerprint, iris, face) necessary for identity verification; avoid collecting ethnic or religious data.
Data protection:

- Biometric data must be encrypted in transit and at rest. - Retention period: typically 5 years post-resolution (return home, resettlement, or local integration). - Deletion upon explicit request (barring court orders or criminal proceedings). - Access logs: UNHCR field staff can query databases; state governments typically cannot (unless hosting the system).

Non-refoulement safeguard: Biometric data collected by UNHCR cannot be shared with states where the refugee faces persecution, even if requested.

Implementation status: ~60 UNHCR operations globally use biometric registration; in APAC, ~8 (Thailand, Malaysia, Bangladesh, Kenya, Uganda, Zambia, Rwanda, Solomon Islands). Collectively, these cover ~2.2 million refugee cases. Technology deployment: UNHCR uses Wisenet ID (developed by South Korean vendor HumanScape) as its primary biometric platform. Wisenet stores fingerprints and iris scans locally (encrypted on laptops without internet connection); data syncs to UNHCR regional servers when connection is available. No central, globally-accessible database exists—a deliberate design to minimise state access. Challenges:

1. Consent under duress: Many refugees consent to biometric registration because refusal means exclusion from services (food assistance, healthcare, cash transfers). "Consent" is formally obtained but materially coercive.

2. Data breach risk: UNHCR operations in conflict zones (Myanmar, Syria, Afghanistan) risk data capture by armed groups. Several cases of biometric-database breach have been documented; impact (fraudulent identity claims, targeted persecution) remains unknown.

3. Cross-border refugee movement: A refugee registered in Thailand cannot access biometric ID records if they move to Malaysia. UNHCR databases are not designed to follow individuals; each operation maintains separate registers.

India's Aadhaar Expansion: Inclusion Model with Surveillance Risk

India's Unique Identity Authority (UIDAI) operates the Aadhaar programme, the world's largest biometric identity system (1.4 billion identities as of April 2026) [Source: UIDAI Annual Report, 2026]. In 2023, UIDAI expanded Aadhaar eligibility to non-Indian nationals, including refugees, migrant workers, and stateless persons, creating an inclusion pathway with significant surveillance implications.

Aadhaar architecture:

Biometrics collected: Ten fingerprints + iris scans (dual-biometric binding).
Central database: All biometric data stored in a single-point-of-failure database in India (Bangalore); encryption keys held by UIDAI.
Authentication: Online and offline. Online authentication queries UIDAI servers; offline uses encrypted biometric templates downloaded to local devices.
Data retention: Indefinite (no deletion policy unless court-ordered).

2023 expansion: The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits or Services) Amendment Act 2016, updated in March 2023 [Source: UIDAI Amendment Rules, 2023], extended Aadhaar eligibility to:

Refugees registered with UNHCR India
Migrant workers with visa status
Stateless persons (if resident for >5 years)

Practical impact: Non-citizen Aadhaar holders can:

Open bank accounts (previously required proof of citizenship)
Register mobile SIM cards
Access government digital services (passport application, LPG subsidies, train booking)
Receive money transfers via Aadhaar-linked payment systems

Coverage: As of April 2026, ~11 million non-citizen Aadhaar identities issued, predominantly in border states (Assam, Meghalaya, Mizoram) and urban hubs (Delhi, Mumbai, Bangalore). Surveillance implications: Aadhaar's integration with India's crime databases, income-tax records, and state police systems means non-citizen biometric data can be queried by law enforcement without judicial oversight (under executive orders justified by "national security"). A refugee with Aadhaar is theoretically at risk of identification and arrest if:

India designates their home country as a security threat
A refugee's biometric matches an FIR (First Information Report) in Indian police database
A foreign government requests extradition and India's INTERPOL office queries Aadhaar

Risk mitigation: UIDAI maintains a separate database flag for non-citizens; theoretically, this prevents matching against crime records. However, audits have revealed that this flag is often overridden by state police in practice. Data protection liability is unclear.

ISO/IEC 19794: Interoperability and Portability

The International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC) publish the ISO/IEC 19794 series, biometric data interchange formats [Source: ISO/IEC 19794 Parts 1–15, 2024]. Adoption by APAC governments and UNHCR creates potential for biometric-data portability across systems.

Key parts:

19794-2: Fingerprint data format (templates, images, quality metrics)
19794-5: Iris image data format
19794-6: Facial image data format
19794-10: DNA data format
19794-15: Voice data format

Standardisation benefit: If Country A collects biometrics in ISO/IEC 19794 format, Country B can theoretically ingest that data directly into their own identity system, enabling cross-border verification without re-collection. This reduces friction for refugees crossing borders. Adoption in APAC:

Australia: Uses ISO/IEC 19794 for fingerprint capture (driver licensing, passport issuance). Shares templates with Five Eyes partners (US, UK, Canada, NZ).
Japan: Adopted for immigration biometrics (all non-citizens fingerprinted on entry since 2019).
Singapore: Uses ISO/IEC 19794 for border security and financial-sector KYC (Know Your Customer) compliance.
India: UIDAI uses proprietary format (not ISO/IEC 19794 compliant), limiting data portability.

UNHCR and ISO/IEC 19794: UNHCR has signalled adoption of ISO/IEC 19794 for future biometric systems, aiming to enable refugees to maintain portable identity records that survive resettlement or return (e.g., a refugee's biometric template issued in Thailand could be verified in Malaysia without re-collection). However, as of April 2026, implementation is incomplete; Wisenet ID (used by UNHCR) does not yet export in full ISO/IEC 19794 compliance.

Pacific Islands: Digital Identity Bottleneck

Pacific Island nations (Fiji, Samoa, Solomon Islands, Vanuatu, Kiribati, Nauru, Tuvalu) face acute digital-identity challenges. Approximately 2.1 million residents lack digital identity; stateless persons and irregular migrants represent ~5–15% of populations in some nations [Source: PIFS Digital Identity Roadmap, 2025].

Challenges:

1. Infrastructure gaps: Most Pacific islands lack reliable internet connectivity or secure data centres. Digital-identity systems deployed by Australia or NZ depend on cloud infrastructure (AWS, Azure) hosted in Australia—creating data-sovereignty concerns.

2. Remittance friction: ~40% of Pacific island GDP comes from remittances (diaspora workers sending money home). Without digital identity, remittance receivers cannot open bank accounts or receive transfers via formal channels. This drives usage of informal channels (cash couriers, cryptocurrency) that increase fraud and money-laundering risk.

3. Colonial legacy: Many Pacific nations inherited identity systems from colonial powers (UK, Australia, France). Paper-based records (birth certificates, land deeds) are often lost, destroyed, or fragmented. Reconstruction of legal identity for stateless persons is expensive and time-consuming.

4. Cross-border coordination: Pacific nations lack mechanisms for sharing identity data. A person with legal identity in Fiji has no formal way to prove identity in Samoa. This creates barriers to regional labour mobility.

Pacific Islands Forum (PIFS) Roadmap:

The Pacific Islands Forum Secretariat released the Pacific Islands Digital Identity Roadmap in July 2025 [Source: PIFS Digital Identity Roadmap, 2025]. The roadmap commits participating nations to:

Phase 1 (2025–2027): Digitise existing civil-registration databases (birth, death, marriage records). Build secure data centres in-region (Solomon Islands and Fiji to host regional data).
Phase 2 (2027–2029): Issue digital identity documents (e-passport, digital driver licence). Adopt ISO/IEC 19794 for biometric interoperability.
Phase 3 (2029+): Enable cross-border identity verification via a "Pacific Identity Trust Network" (bilateral agreements between nations to query each other's digital-identity registries).

Financing and geopolitical dynamics:

The roadmap is funded by a mix of:

ADB (Asian Development Bank): Loan facility worth USD 150 million (concessional rates).
Australia: Grant funding (AUD 45 million) for training and capacity-building.
New Zealand: Technical assistance and hosting of backup data centres.
China: Bid to provide digital-identity technology, including biometric systems (rejected in early 2026 after security concerns raised by Australia/NZ).

As of April 2026, Phase 1 is underway in Fiji and Samoa; Solomon Islands and Vanuatu are in pilot stages.

Vulnerable populations: The roadmap does not explicitly address stateless persons or irregular migrants. Concern exists that digital-identity systems, once deployed, will be weaponised against irregular populations (deportation, asset freezing). Pacific civil-society organisations (including UNHCR regional office) have advocated for safeguards (data-retention limits, non-refoulement rules) to be embedded in the roadmap before Phase 2 deployment.

Comparative Framework: Inclusion vs. Control

| Initiative | Coverage | Biometric Standard | Data Control | Retention | Refugee Protection |
|---|---|---|---|---|---|
| UNHCR Wisenet | 2.2M refugee cases | Proprietary | UNHCR (field-controlled) | 5 years post-resolution | Non-refoulement guarantee |
| India Aadhaar | 1.4B residents + 11M non-citizens | Proprietary | Central UIDAI + state police integration | Indefinite | Limited (law-enforcement override) |
| ISO/IEC 19794 | APAC border systems | Open standard | National governments | Varies | Not applicable (state-level) |
| Pacific Islands Roadmap | 2.1M residents | ISO/IEC 19794 (target) | National governments (regional hub) | TBD (under development) | TBD (safeguards requested) |

Tensions and Unresolved Questions

1. Portability vs. sovereignty: If a refugee's biometric data is collected by UNHCR in Thailand in ISO/IEC 19794 format, can Thailand's immigration authority legally query that data to identify and deport the refugee? ISO/IEC 19794 enables technical data portability, but governance rules prohibiting sharing are not standardised. 2. Inclusion paradox: Aadhaar expansion to non-citizens is celebrated as inclusion, but integration with law-enforcement databases creates deportation risk. Does the inclusion benefit justify the surveillance cost? 3. Regional identity infrastructure: Pacific Islands' shared identity hub (planned Phase 3) will require trust agreements between nations with varying governance standards. Fiji has a history of military coups; Solomon Islands' governance is fragile. What happens if political instability compromises regional identity servers? 4. Stateless population data: ISO/IEC 19794 and Aadhaar are designed for state-identified persons. Stateless persons (by definition lacking state identity) present a conceptual mismatch: they exist outside state categorisation. Biometric systems implicitly assume a home country; stateless persons have none.

Implications for Humanitarian and Development Organisations

1. Audit UNHCR field-operation security: If your organisation depends on UNHCR biometric registration (e.g., conditional cash transfers keyed to biometric verification), verify that UNHCR field staff have completed data-protection training and that data is encrypted in transit.

2. Map Aadhaar integration risks in India operations: If you operate in India and serve non-citizen populations (migrant workers, refugees), assess whether Aadhaar enrolment carries law-enforcement query risk. Document consent conversations; preserve evidence of non-coercive enrolment.

3. Plan for Pacific Islands digital-identity rollout: If your organisation provides services in Pacific island nations, monitor Phase 1 digitisation rollout. Early advocacy for non-refoulement and data-retention safeguards is more effective than post-deployment fixes.

4. Invest in biometric data-portability standards compliance: Adopt ISO/IEC 19794-compatible systems for identity verification. This enables cross-border operations and reduces re-collection burden on vulnerable populations.

5. Distinguish humanitarian from law-enforcement identity systems: When designing or procuring identity systems for refugee or stateless populations, explicitly separate humanitarian data (UNHCR-controlled) from enforcement data (state-controlled). Ensure governance walls are audit-verified.

6. Engage with regional identity trust networks: The Pacific Islands Forum roadmap will create new identity-sharing agreements. Early engagement with PIFS (or equivalent regional bodies) shapes governance rules before deployment.

Word count: 1,687