As physical offices reopen, providing secure access to workplaces will now be back on the agenda for many organisations. Some may feel swipe cards and lanyards are a little old school. Maybe they’re thinking about upgrading to biometric technology like fingerprint scanners as a way to improve security and convenience. But managers and business owners might not realise that biometrics bring data protection concerns.
This blog will look at the issue relating to employee data. At the end, we also suggest actions to take if you plan to process employee data this way.
What the GDPR says about biometrics
Firstly, what does the General Data Protection Regulation (GDPR) say about biometric data? The regulation has specific safeguards when processing what is known as special category personal data. As Article 9 makes clear, this category includes biometric data like fingerprints. Under Article 9, employers wanting to process their employees’ fingerprints or other biometric data need the following legal basis:
- The data subject has given explicit consent
- Processing is necessary for carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- It is in the data subject’s vital interest
- It’s necessary for legal claims or defence
- Processing is carried out in the course of the organisation’s legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it
- Reasons of public interest
- The data subject is already making the personal data public
- Processing is necessary for archiving purposes
- It’s needed for medical assessment.
For the processing of such data to be exempt from Article 9, an employer must be able to make a legitimate and reasonable argument that processing biometric data is for the vital interests of its employee or is being processed for the matter of public interest. No other alternative basis is currently available. The onus to prove this legitimacy lies with the employer.
Safeguarding data subjects’ rights
Looking at Ireland specifically, the Data Protection Act 2018 (DPA), section 46, outlines processing of sensitive personal data in relation to employment and social welfare law. Section 45 of the DPA states that organisations must take suitable and specific measures to safeguard data subjects’ fundamental rights and freedoms.
Processing special categories of personal data is lawful where the processing is necessary for exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law.
The EU perspective
In 2020, The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) issued a €725,000 fine against a company for unlawfully processing its employees’ fingerprints for attendance and time registration. In this case, the organisation tried to rely on employees freely giving consent. However, the Dutch DPA stressed that employee consent in principle was not valid because employees depend on their employer and will often not be in a position to refuse.
An alternative to this dilemma is ensuring there are options available to allow employees to consent freely. This take on employer-employee consent is important to note in an Irish context. Giving employees choice is one of our recommendations (see below). This helps to eliminate the power dynamic that may be present in some employer relationships and avoids such issues.
There is currently no concrete guidance from the DPC on fingerprints, but indications from past cases also suggest that processing biometric data by scanning employees’ fingerprints or thumbprints does not meet the current provisions set out in the GDPR.
Fit to print? Next steps on workplace biometrics
So, where does this leave organisations that might want to process employee biometrics? We recommend these points to consider first.
- Carry out a data protection impact assessment (DPIA) on the chosen security system (e.g. fingerprint scanner)
- Have a specific privacy notice on the use of fingerprints available on all platforms
- Make the data processing agreement (DPA) available to data subjects on request
- Update the record of processing (ROPA) when the purpose and legal basis has been agreed
- To ensure legal basis, obtain consent from the employee for the processing of their personal data under Article 6 of the GDPR
- For the processing of biometric special category data organisations should obtain explicit consent from the employee subject to Article 9 of the GDPR
- Give employees the option of using a swipe card or key fob or entering a PIN as an alternative to fingerprint scanning. Offering a choice will help eliminate the issue of unfair dealings and power imbalances between employer and employee. Alternative choices ensure consent is freely and accurately given
- Comply with complainants’ rights Articles 1-21 of the GDPR, paying special attention to Article 18 on the right to restriction of processing.