GDPR and the ethics of biometric attendance data

How can biometric authentication be used under the General Data Protection Regulation? Clare Murray, Zeinab Harb and Jennifer Ross report

Biometric authentication – any solution that can be used to identify a person by their unique physical or behavioural characteristics – can seem like a ‘silver bullet’ for employers hoping to improve security and strengthen their attendance monitoring. 

Passwords reportedly account for 81 per cent of hacker-related data breaches, and swipe cards can easily be misplaced, but biometric solutions such as fingerprint or face recognition are not so easily ‘spoofed’ or hacked. Biometric systems can also be effective in combating employee fraud and misconduct. 

Despite these benefits, however, the House of Commons’ science and technology committee, in its report on the uses of biometric technology, stated that it had been told “repeatedly” that public attitudes towards biometric systems were “largely negative”. 

Employees are no exception, and being asked to provide fingerprint or facial data by an employer feels more intrusive than giving this same data to a bank, or even Apple or Google. Yet employees may worry that they will be left with little choice in the matter if they want to keep their jobs. These fears are rooted in privacy concerns, as well as ‘function creep’ – data recorded for one purpose in the workplace and being used for another, such as law enforcement or targeted advertising. 

In addition to facing possible resistance from employees, an employer seeking to implement a biometric authentication system must also grapple with complex data protection legislation. The processing of employee personal data in the UK is currently regulated by the Data Protection Act 1998, but this is set to change on 25 May 2018 when the EU’s General Data Protection Regulation (GDPR) comes into force, despite the UK’s decision to leave the EU. 

The GDPR will increase the demands on employers, as well as significantly increase penalties for non-compliance, meaning that employers will need to pay closer attention to data protection in the workplace going forward. 

Under the GDPR, employee data must be processed in accordance with specific data protection principles, most of which are similar to those under the Data Protection Act. These include lawfulness and fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and accountability. Employers must also satisfy at least one a condition that justifies the processing. 

Importantly, under the GDPR, biometric data is classified for the first time as a ‘special category’ of personal data, meaning that it cannot be processed by employers unless it satisfies one of the additional conditions that permit the processing of special category personal data in specific and limited circumstances. These are: obtaining ‘explicit consent’ (although obtaining valid consent in an employment context will be much more difficult under the GDPR and requires further consideration), or where it is necessary for the purpose of carrying out obligations or exercising specific rights under employment and social security law or under a collective agreement. 

The GDPR also introduces a requirement to perform a privacy impact assessment in relation to processing, which is likely to be high risk to the rights of the individual, and specifically makes privacy impact assessments mandatory in relation to large-scale processing of special category personal data. In certain circumstances it may also be necessary to consult the Information Commissioner’s Office (the UK data protection regulator) before starting any high-risk processing. 

Compliance with the GDPR should be borne in mind at all stages of implementing a biometric system and the employer should seek specialist legal advice early on. 

It remains to be seen how the GDPR will affect employer attitudes and practices in relation to employee data in general and biometric data in particular. However, in the US, where biometric systems are more widely used in the workplace, their implementation by various high-profile employers is already being challenged in the courts. 

For example, employee plaintiffs in Illinois have filed a class action lawsuit against hotel groups, grocers and care homes, alleging that their fingerprints and other biometric data were collected and used in violation of the state's Biometric Information Privacy Act. The employees claim that their employer implemented a new system that logged attendance via fingerprint scanning without properly obtaining their consent or providing information as to how this data would be stored or used, whether it would be shared with third parties and how or when it would be permanently deleted, all of which is required under that Illinois State law. 

This highlights that the undoubted benefit to be derived from such technologies is accompanied in each case by inevitable losses in privacy for the employees and, as the boundaries between work and private life become increasingly blurred, it will only become more difficult to strike a balance between these competing interests. This is a challenge that will continue to face employers in the years to come.   

Clare Murray is managing partner, and Zeinab Harb a trainee solicitor, at CM Murray. Jennifer Ross is a trainee solicitor at Peters & Peters