Biometrics in the workplace
The use of technology that collects biometric data in the workplace is becoming increasingly common. Biometric data are personal data resulting from the technical processing of physical, physiological or behavioural human characteristics, which allow the identification of a living individual. Examples include facial and fingerprint recognition technology used for security purposes or to record time and attendance, or more recently, temperature screenings for COVID precautions. However, the introduction of the UK General Data Protection Regulation (“UK GDPR”) has brought with it an increased awareness of the rights of individuals to their personal data, and as a consequence the use of such technologies in the workplace has come under increased scrutiny.
One of the reasons for this increased scrutiny is that biometric data fall into the higher-risk category of personal data, i.e. a special category of data use of which is susceptible to being viewed as intrusive unless there are clear legitimate grounds for use. Employers are urged to tread carefully prior to processing biometric data, to minimise the risk of falling prey to the UK Information Commissioner's Office enforcement powers which include the ability to issue penalties of up to the greater of 4% of turnover or £18 million. This article will set out some key considerations for employers when using (or contemplating using) biometric technologies in the workplace.
Purpose and proportionality of processing
There should be a clear purpose for processing this type of personal data. Given it is considered generally quite an intrusive means of processing, employers should consider whether its processing is proportionate or whether its purpose can be achieved via less intrusive means. Undertaking a full data protection impact assessment (“DPIA”) before processing biometric data is highly recommended, and required under the UK GDPR.
It has become clear through case law and guidance that the processing of biometric data in the workplace needs to meet a high threshold before it is deemed acceptable, as demonstrated in the Amsterdam case of Mansfield Shoe Company, which, while not binding on UK courts, is likely to be considered persuasive. In this judgment, the court considered the company's use of biometric data for employee cash access, clocking-in and clocking-out, and ruled it unlawful on the basis that it did not meet the requirements of Dutch data protection laws; but, more generally, that the processing was not proportionate. While there was a clear purpose, the employer had failed to demonstrate why other less privacy intrusive systems had not been considered and as such failed to identify whether the processing was proportionate.
While the judgment highlighted that the use of biometrics in the workplace is not forbidden in all cases, it clearly stated that any use would need to meet a high threshold in terms of purpose and proportionality. Any DPIA carried out should clearly consider not just what the employer is trying to achieve but whether the processing is proportionate, i.e. can the same purpose by achieved by less intrusive means?
Lawfulness, fairness and transparency of processing
The UK GDPR requires organisations who wish to process personal data to have a lawful basis (article 6) and valid exception (article 9) to process biometric data. The question of lawfulness can be tricky; consent is unlikely to be an option given the imbalance of power between the employer and employee, and thus any reliance on consent may be deemed invalid.
In fact, the most obvious solution to the matter is often to rely on legitimate interest under article 6, and in terms of article 9, the valid exception of “processing is necessary for the purposes… in employment law”. However, in the case mentioned above, it became clear that the threshold requirements are high, and simply looking at this option as a catch-all solution to the use of biometric data to solve possible problems such as work-related fraud or time and attendance may not be sufficient.
In the UK, employers would also need to consider the requirements of the Data Protection Act 2018. Schedule 1, Part 1, para 1(1) does provide for processing if necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the employer, but to rely on this the employer would need to clearly identify what obligation or right it was exercising, and particular care ought to be given to the necessity of the processing to perform this obligation/right. It is unlikely to be deemed lawful if it can be achieved by other means.
As such, careful attention needs to be taken when looking at the lawful conditions for processing biometric data. It is prudent to examine the lawful conditions available and determine their suitability for processing.
Regardless of what personal data your organisation processes, you should ensure you have a fair and transparent notice to provide to those individuals that it affects – often called a privacy notice. If processing biometric data in the workplace, it is a legal requirement to ensure you notify your employees through the privacy notice of this processing activity. You will need to include information regarding the purpose of processing, the lawful conditions for processing, and details of how the individual can exercise their rights or raise concerns about the processing activity. You must ensure this information is easily available and communicated to all individuals it affects.
Security risk
The loss of personal data can be devastating for both the organisation processing the personal data and the individual it affects. Given the unique attributes of biometric data, such data loss can have serious consequences for all parties involved. The example of BioStar 2, a Suprema-based security platform, saw over 1 million biometric fingerprints and facial recognition data compromised. The system used by banks and the police highlighted the need for organisations to ensure robust security measures in place, including but not limited to access control procedures and encryption. Organisations should also carry out regular penetration testing to ensure their security controls over the biometric data are up to date and robust.
What should you need to do?
Organisations looking at biometric processing as an option need to consider the following points:
- Consult your DPO or person responsible for data protection compliance early on so they can support the organisation with the project and ensure it complies with data protection
- Also, consider, can you achieve the same result through a less intrusive form of processing? Is the processing disproportionate to the purpose? If the answer to either of these questions is yes, it becomes challenging to justify using biometric technology. An example may be the use of biometrics for clocking-in and clocking-out. This can be achieved by using the clock-in/out cards, so the use of biometrics data becomes difficult to
- If the organisation still considers biometrics a viable option, it is essential to have the correct lawful conditions for processing. This will require an assessment of article 6 and article 9 of the UK GDPR and determining the correct lawful conditions for the processing
- Given the intrusiveness of processing biometric data, the organisation must conduct a DPIA. This should identify any risk and remedial action to mitigate those risks. This should also consider issues surrounding data minimisation, retention and data security. This would involve undertaking necessary due diligence and risk assessments on suppliers to ensure appropriate technical, contractual, and organisational measures to protect the data. DPIAs and the use of the biometric system generally ought to be revisited
- Be transparent with your staff by ensuring the staff privacy notice covers this type of processing activity and has been communicated
- Add the processing to your record of processing
- Have a plan in place if the data is hacked or suffers a different type of personal data breach. This is unique personal data, and a personal data breach may cause a high risk to individuals; therefore, any personal data breach may well lead to an event that needs to be reported to the ICO and the data subjects. It could cause harm to your staff leading to a breakdown of the employer/employee relationship, and could cause reputational damage. Having a plan in place for the worst-case scenario will help the organisation respond quickly and appropriately should such an event occur.