There are two components. One is a policy and management component. This would ensure that the purpose for which you're collecting the information, in this case biometrics, is limited and clearly stated. You must explain why you are collecting it and you must limit your use to the stated purpose, so that you don't start cross-matching against things you did not intend, without informing the person that you were collecting it. It's a policy and a procedural issue.
There are also some new technical advancements that can make it hard or impossible to do that cross-matching. That's a much longer answer.