Employers are beginning to realize the potential benefits of using biometric systems in the workplace, such as facial recognition and fingerprint access systems. This includes increasing security (e.g. reducing access to restricted areas), ensuring efficiency (e.g. eliminating the need for passwords, keys and cards), and monitoring employee health and performance (e.g. activity, productivity, tracking stress levels, etc.).
However, given the nature of biometric data and the sensitivities surrounding its use, and importantly its potential misuse, there are significant challenges to overcome when using biometric systems in the workplace.
Here are five tips to help UK employers make better use of biometric data in the workplace.
1. Follow data protection requirements
When an employer uses biometric data for identification purposes, it becomes a special category of personal data. Therefore, not only must there be a legal basis for processing personal data, but consent is also required before biometric data is processed.
Putting aside the thorny question of whether employees can truly give informed consent, explicit consent is often the only legal basis for processing special categories of biometric data. .
Alongside the need for consent is the need for transparency. It is important that employees understand why their personal data is being collected, the extent to which it is collected, and how it will be used.
Employers should ensure that they have a clear purpose for processing biometric data and consider whether the proposed approach is appropriate or whether a less intrusive approach can be adopted. Employers are encouraged to conduct a data protection impact assessment when considering whether the use of biometric data is appropriate.
In our experience, such systems can be used in the workplace if employees understand the risks, benefits, and implications of using them, and if an ongoing dialogue is maintained between employer and employee regarding their use. You can use biometric data to your advantage. Information Commissioner’s Office guidance states that employees who object to the use of biometric data should be provided with an alternative, and that this alternative isWorkers must not be disadvantaged.In fact, it will be difficult for employers to know how they can offer alternatives, especially if they are building an entire system around the use of biometric data.
Employers should also have a policy that clearly states how long biometric data will be retained and deleted. In line with the principles of data minimization, personal data should only be kept for as long as necessary and for the intended purpose, and secure processes should be in place to ensure data deletion.
2. Enabling employees to trust the use of biometric data
Once trust is broken between an employer and an employee, it is very difficult to restore it.
It is essential to be open and transparent about why, how, what, where, when and for what purposes employee biometric data is used. Some employers may choose to make clear how the data will not be used. This gives employees confidence that their employer is serious about protecting their data rights.
Consulting with works councils and trade unions about the scope, purpose, duration of use, collection and storage of biometric data can help build employee trust in their employer.
3. Ensure appropriate security controls are in place
Biometric data requires robust security to protect it from unauthorized access, modification, or deletion. There are many examples of biometric data being lost. For example, in 2017, a British construction company lost an unencrypted USB device containing biometric data, including fingerprints. Another example is the Biostar 2 platform breach, which resulted in fingerprints, facial recognition, and other personal information being found in publicly accessible databases.
The UK’s National Cyber Security Center has published guidance for organizations on how to select, configure and use devices securely. This includes guidance on the use of biometrics. Secure storage, encryption, and access controls are critical components of protecting biometric information to minimize (and preferably prevent) unauthorized access and potential breaches.
Four. Addressing inclusivity, accessibility, and bias related to the use of biometric data
Biometric systems should not be introduced without ensuring that they can be used inclusively and effectively by all employees, including people with disabilities. Therefore, in some circumstances, employers may be required to consult with employees about possible reasonable adjustments to the system. This may be necessary if your system requires biometric data that is difficult for some employees to provide.
It is also important to ask questions about the inherent biases in biometric systems and how to continually address this. If a system is biased, it can disproportionately affect certain groups. This is seen when facial recognition systems are unable to correctly identify people of one race with the same degree of accuracy as other races, resulting in cases of mistaken identity.
If third-party vendors are providing technology, accessibility, inclusivity, and bias should form part of the due diligence exercise during the procurement process. If the purchase moves forward, the vendor’s obligations and responsibilities should be included in the contract.
Five. Stay up to date with developing guidance and legislation
Ethical, legal and privacy issues need to be carefully considered when implementing biometric systems in the workplace, although legislation and guidance on how best to do this is still being developed in many countries. .
Some countries, including various states in the United States, have laws specific to biometrics, while others have privacy laws such as the UK General Data Protection Regulation and the EU General Data Protection Regulation (and related regulatory guidance).
Biometric data is defined in the UK General Data Protection Regulation as:Personal data obtained from certain technical processing relating to the physical, physiological or behavioral characteristics of a natural person. This enables or confirms the unique identification of a natural person, e.g. by facial images or finger microscopy. [fingerprint] data.”
The UK Information Commissioner’s Office believes that the test for whether personal data is biometric data consists of three elements:
(I) Does the personal data relate to someone’s appearance, behavior, or observable characteristics (such as their voice, face, fingerprints, or the way they type)?
(ii) Was personal data extracted or further analyzed using technology such as voice analysis software?
(iii) Can the personal data uniquely identify the person to whom it relates?
Given the growing interest in the introduction of biometric systems, many are expecting the ICO to act, with the ICO announcing in August 2023 that it will produce guidance on biometric data and biometric technology. did. The ICO will consult on its draft biometric data guidance throughout the autumn of 2023, and will require submissions of evidence on biometric data classification and data protection in early 2024. The draft guidance, like the ICO, is practical in nature and does not prohibit the use of data. It sets out the data protection requirements that must be adhered to, not the use of biometric data. Although it is not in its final form, it is a useful tool for employers to consult for further information, and it provides an indication of his ICO’s thinking in this area.
The ICO’s revised ‘Workplace Surveillance’ guidance, published on 3 October 2023, states that biometric data, such as fingerprints for access control and time/attendance management, and facial recognition for signing on to devices, will It is also useful and relevant for employers who use it to monitor their workers. Webcam footage if used for identity verification purposes (for more information, see our article on new guidance on employee surveillance).
The guidance states that employers must:
- Clarify the purpose of monitoring.
- Choose the least intrusive means to achieve your goals.and
- Document your reasons for monitoring employees and what you intend to do with the information you collect.
We also recommend that employers carry out data protection impact assessments, whether or not they are legally required to do so.
In 2022, the ICO warned against the use of emerging biometric technologies. While no fines have yet been handed down for the UK breach, other data protection authorities in Europe have handed down fines for failing to properly handle biometric data. One example is the €700,000 fine for Budapest Bank for incorrectly performing sentiment AI analysis.
With UK data reform on the horizon in the form of the Data Protection and Digital Information Bill, employers should keep an eye on the proposed changes this bill could bring to biometric data projects.
conclusion
While the idea of using employee biometrics in the workplace to improve security and efficiency is gaining momentum, the ICO states that an employer’s business interests must never take precedence over worker privacy. I’m making that clear.
Employers considering the use of biometrics in the workplace should consider conducting a data protection impact assessment, engaging with employees, considering issues of accessibility, inclusivity and bias, and explaining the purposes for which biometric data is being collected. It’s important to be open and transparent. and how it is used and how it is stored and subsequently deleted.
As new technologies and use cases emerge, it is important to stay up to date with new legislation and guidance, especially given the regulatory focus in this area and the new Data Protection and Digital Information Bill that is about to come into force. It is also important that employers continue to review their employment policies and practices to ensure compliance with evolving laws and guidance.
The far-reaching impact of emerging technologies on the world of work is explored in detail in a recent report on strategic priorities for future work hubs that will shape the workforce and HR agenda in 2024 and beyond. Visit the Future of Work Hub to learn more.
If you have any questions about the use of biometrics in the workplace, or would like to keep up with the latest developments in this area, please contact your usual Lewis Silkin contact.
