Biometrics in the Workplace: Considerations and Challenges for Your Company

In recent years, a growing number of companies have been looking into biometrics to optimize the management of their human resources. But at a time where data protection and privacy issues are of topical interest, what are the obligations applying to companies—and more specifically to employers—in this regard?

Facts About Biometrics

Biometrics is generally defined as the set of techniques that allows for the identification or authentication of an individual through their unique characteristics (physical, behavioural, or biological). These include:

• fingerprint recognition;
• iris recognition;
• voice recognition; and
• facial recognition (commonly known as “Face ID” and is maybe currently used by your employees on their work-issued smartphones).

One undeniable benefit inherent to biometrics is that it allows for an almost irrefutable identification or authentication of employees, as their biometrics characteristics are unique to them. This is a compelling argument for securing access to physical or technological infrastructure or for improving the monitoring and management of working hours of employees.

Privacy Issues

While biometrics is a good idea in theory, caution should be exercised—especially when it comes to the management of human resources. Not only are biometric characteristics considered personal information protected by applicable privacy laws, they are also sensitive personal information, particularly due to the significant expectation of privacy they generate. For instance, should biometric characteristics be compromised or used for malicious purposes, this could cause great prejudice to the individuals they belong to.

It should also be noted that personal information must be collected only if necessary. However, the more sensitive the personal information is, the greater the expectation of privacy; consequently, this makes it all that much harder to justify the necessity of collecting such data. Therefore, collecting your employees’ biometrics simply because it’s useful, convenient or effective is not enough. On the contrary, the necessity of obtaining this data can only be determined after careful analysis on your part.

Considering the growing popularity of biometrics, especially in the workplace, the Commission d’accès à l’information du Québec (CAI) recently issued its findings regarding the use of biometric time clocks (PDF in French only), in which it reiterates the requirements for biometrics collection:

• The intended purpose of the collection must be important, legitimate and real, and tied to an existing problem within your company—and not just an anticipated one, such as possible theft of time or merchandise.
• The data collected must be proportional to the intended purpose. That means there should not be other less privacy intrusive means to achieve your purpose, in which case these should be prioritized. As such, the CAI asserts that a company’s desire to keep employees from losing or breaking their identification swipe cards does not justify the collection of such sensitive data. The same applies to companies wishing to use biometrics to improve internal productivity by automating their payroll or attendance systems or to reduce the risk of human error caused by manual data entry.
• Employees must give their explicit, free, informed, and specific consent and be provided with a less intrusive alternative should they refuse to consent. In other words, you cannot require your employees to provide their biometric characteristics. It should also be noted that obtaining consent does not allow for the collection of biometrics if these are not necessary (these two conditions being cumulative).

Even if you consider having met these requirements, other security measures should also be implemented. For example, biometric prints should not be saved as cleartext and, ideally, data storage should be decentralized and located in Canada.

Therefore, you should tread carefully before deciding that the benefits related to using biometric time clocks or identifying your employees through facial recognition outweigh the risks of invading their privacy.

Reporting Biometrics Use to the CAI

In addition to complying with the requirements above, you must notify the CAI if you use biometrics for employee identification or authentication purposes. If you store biometric data, you must disclose this to the CAI no later than 60 days before your database is brought into service. The CAI may suspend, prohibit the bringing into service or order the destruction of such a database.

Feel free to contact our Privacy and Data Protection and Labour and Employment Law teams, who will be happy to advise you and guide you through this matter.