ICAO 9303 vs. ISO/IEC 19794-5: What Swiss HR and Compliance Teams Really Need When It Comes to Employee Photos

First things first: ICAO 9303 is the standard for machine-readable travel documents. ISO/IEC 19794-5 is the standard for biometric image quality, upon which ICAO 9303 is based. For Swiss companies that capture employee or ID photos on a large scale, both are relevant—but for different reasons. Those who don’t understand the difference will either invest in too much standardization or too little security.

Why this comparison is important at all

In requests for proposals for HR platforms, access control systems, or government ID cards, these two terms often appear in the same sentence—and are almost always used interchangeably. This is factually incorrect and leads to two common problems in practice:

First, photo collections are created that are labeled as “ICAO-compliant” but do not consistently meet biometric quality criteria. Second, solutions are purchased that are designed for maximum travel document compliance, even though a much more pragmatic ISO framework would suffice for the actual use case—such as a standardized employee photo on the intranet.

Both come at a cost. In the first case, through re-uploads, complaints, and manual rework. In the second case, through an overly complex process that discourages employees and stifles adoption.

ICAO 9303 in a sentence

ICAO 9303 is the International Civil Aviation Organization’s specification for machine-readable travel documents—namely, passports, ID-1 format identity cards, and visas. It defines not only the photo but the entire structure of the document: data fields, security features, chip structure, and the machine-readable zone. The photo is one element of this.‍

With regard to the photo, ICAO 9303 largely refers to ISO/IEC 19794-5. So when people say "ICAO-compliant photo," in practice they usually mean a photo that meets the biometric requirements of ISO 19794-5, within the legal framework of ICAO 9303.

Read more

ISO/IEC 19794-5 in a nutshell

ISO/IEC 19794-5 is the international standard for facial image data in biometric systems. It provides detailed specifications on how a biometric portrait must be captured in order to be processed by a machine, including resolution, lighting conditions, head position, eye position, background, neutral facial expression, reflections from eyeglasses, shadows, and saturation.

It is the true technical benchmark—and the aspect that companies can actually assess in practice because it is measurable.

Read more

What this means for practice in Switzerland

In Switzerland, there are three types of customers who qualify for these standards—and all three have different needs.

Government agencies and regulated industries (vehicle registration offices, consulates, federal agencies, banks in the context of KYC) require ICAO 9303 as a mandatory framework. In this context, the standard is non-negotiable because the documents must be internationally recognized. A vehicle registration office that captures driver’s license photos cannot deviate from the ICAO requirements.

HR and internal communications teams in large corporations usually don’t need the full ICAO framework. What they really need is the ISO 19794-5 standard: consistent image quality across thousands of employees, so that intranet profiles, Active Directory entries, Outlook contacts, and Teams avatars don’t look like a random collection of WhatsApp photos. A strict ISO setup is sufficient—without the certification overhead of ICAO.

Compliance and IT security managers have a third perspective: they want to know whether the platform demonstrably meets the standard and whether the data never leaves the correct jurisdiction. Here, technical compliance becomes a data protection issue—and thus a question of the hosting location.

The typical mistake made in requests for proposals

Many specifications simply require "ICAO-compliant photo capture"—even when the only requirement is internal employee portraits. This may sound professional, but it unnecessarily complicates the process. The two most common consequences are:

Employees are faced with the same requirements that apply to passport applications—a neutral background with a specific level of brightness, no glasses that cause glare, and a precise head position. The re-upload rate skyrockets, adoption rates drop, and HR has to compensate manually.

Or, conversely: It is labeled "ICAO," but technically only a cursory ISO check is performed. The result is a photo pool that is neither internationally recognized nor internally consistent—and that will require extensive post-processing later on if used in a genuine ICAO application.

The right approach: Before issuing the request for proposals, determine whether the use case truly requires ICAO 9303 as a framework—or whether ISO/IEC 19794-5 is the more appropriate technical standard.

When data protection comes into play

As soon as facial images are involved, they constitute biometric data under the revised Swiss Data Protection Act (revDPA) and the GDPR. This has two practical consequences:

First, data processing must be documented, limited to a specific purpose, and—in the case of systematic Capturing supported by a data protection impact assessment process. Second, the location where data is processed and stored is a key consideration. A platform hosted in the U.S. is subject to the U.S. CLOUD Act, which rightly raises concerns regarding biometric employee data in regulated industries. By the way, at Photo Collect , 100% of all photos Photo Collect processed in Switzerland.

For compliance officers, this means that the standard shown in the image (ICAO/ISO) and the platform’s data residency are two separate criteria that must both be met.

What to Look for When Choosing a Platform

Whether the focus is on ICAO or ISO requirements, the platform must clearly address four key areas:

1. Automated validation against the relevant standard, not just a visual inspection. Sharpness, lighting, head position, background, and reflections from eyeglasses should be checked algorithmically before the photo reaches quality control.
2. A low barrier to entry for employees. A personalized link sent to an employee’s own smartphone (BYOD) that doesn’t require installing an app is now the standard against which everything else must be measured. Anything else hinders adoption.
3. A clear data residency policy. Where is data processed, where is it stored, and who has access to it—including the legal jurisdictions of cloud providers. For Swiss compliance use cases, hosting in Switzerland at an ISO 27001-certified data center is the minimum requirement.
4. Seamless export to target systems: card printers, access control software, HR platforms, Active Directory. If you end up having to export data manually, all the efficiency gains are lost.

Conclusion

PhotoCollect is the Swiss SaaS platform for the automated, ICAO- and ISO-compliant Capturing ID photos—with Swiss hosting, dedicated instances per customer, and over four million photos processed. Used by the BMW Group, Migros, the Bern Cantonal Road Traffic Office, and the University Hospital of Basel, among others. Try it for yourself now.