The collection of staff fingerprints as part of human resources management processes should be exercised with caution to comply with the Personal Data (Privacy) Ordinance (PDPO). A recent investigation report published by the Privacy Commissioner for Personal Data found that collecting such biometric data to record employees' work attendance breaches the PDPO.
In the case at hand, the complainant accepted employment with a company as a furniture installer. On his first day of duty, the company sought to collect and record his fingerprints. The complainant alleged that the company had not informed him of this when he accepted the job.
The company had adopted a fingerprint recognition system in 2005, with no alternative, for the purpose of recording staff attendance. It stated that the use of a time clock could not eliminate the practice of staff punching time cards for each other.
None of the company's 400 staff had refused to provide the data. The company said that the system was not used for security purposes and that it only recorded the minimum data necessary to identify the staff and record the time. Once recorded, the fingerprints were converted into numerical codes, which were then encrypted and recorded. Only the recorded times could be downloaded and the company could not directly access or transfer the fingerprint records from the system.
The Commissioner found that the system could ascertain the identity of staff from their fingerprints and that the data therefore fell under the definition of "personal data" under the PDPO. He commented that, given the uniqueness and unchangeable nature of fingerprints, they amounted to sensitive personal data, requiring extra care.
Data Protection Principle 1(1) under the PDPO prohibits personal data from being collected, unless it is for a lawful purpose directly related to a function or activity or the data user and the collection of the data is necessary for, or directly related to, that purpose. Data Protection Principle 1(2) requires that personal data be collected by lawful and fair means under the circumstances.
The Commissioner also found that collection of the complainant's fingerprints to record attendance was excessive and contravened DPP1(1). He added that the system intruded on staff's privacy and made the following findings:
Regarding DPP1(2), the Commissioner said the collection of an employee's fingerprint data was lawful, but he questioned whether it was fair. He considered collection to be unfair if a data subject is obliged to consent under undue pressure, influence or threat. He said he needed to consider if the company had provided any information to allow employees to clearly understand the possible impact of the fingerprint collection (including any adverse impact) and whether they were offered other less privacy intrusive options in order to make an informed decision.
- The company's premises were not high-security or sensitive areas requiring a fingerprint-recognition system to identify visitors
- The number of people from whom data had been collected was considerable and would accumulate over time
- As the company could not confirm that it had taken appropriate security measures, there was a likelihood of accidental access to, and abuse of, staff data
- The company did not inform staff of whether whole or partial images of the fingerprints were collected and did not tell them who might gain access to the data
- A statement that "all fingerprint records will be handled according to the Privacy Ordinance and will not be leaked" in the employees' code of practice was insufficient. The company should also have informed staff of measures taken to safeguard data against abuse or improper handling
The Commissioner noted the disparity in bargaining power between the employer and the employees, and noted that it was obvious that if staff did not cooperate in using the system, they might be summarily dismissed. The staff were therefore under undue pressure.
He issued an enforcement notice on the company, directing it to cease collecting its staff's fingerprint data (unless express prior consent was given voluntarily) and to immediately destroy all collected data.
In response, the company confirmed that it had stopped collecting employees' fingerprints and had substituted passwords for fingerprints to record attendance. It also destroyed all existing fingerprint data.
In conclusion, the collection of fingerprint data merely for attendance recording purposes may not be legal under the PDPO. Even if the collection can be legitimately justified, employers should implement sufficient privacy protective measures against any potential leakage of, or unauthorised access to the data.
|Q & A on the legality of collecting fingerprint data|
|Q1 ||What information should data users provide to data subjects before collecting their fingerprints?|
|A1 ||Data subjects should be informed explicitly of all the uses of the data collected and all the parties to whom the data may be transferred. |
|Q2 ||Is it fair to collect an employee's fingerprint data?|
|A2 ||This depends on whether the employee freely and voluntarily, without undue pressure or influence, gives consent for the collection. If an employee gave consent fearing that adverse action might be taken against him/her, the consent would not be considered to have been given freely and voluntarily. An employee should also be given the right to opt for a less privacy intrusive alternative. |