Person putting their finger on a biometric scanner in their workplace with the pink privacy 108 branded overlay

Privacy Issues for Employers Using Biometrics in the Workplace

Biometrics technologies have been developed to help employers accurately track employee attendance and hours, track and promote productivity, and even monitor employee stress. However, as is so often the case, the trade-off for these benefits is increased biometric data flow – which means that biometrics in the workplace come with significant risk to both the employee and employer.  

What are Biometrics?  

Biometrics refers to technologies that recognise individual based on certain physical or behavioural characteristics. The characteristics most commonly associated with biometrics technologies include human faces, fingerprints, iris scanning, palm prints, signature, gait, or voice recognition.  

Biometrics are used for authentication and identification. In the workplace, they are also often used to monitor employees.  

For more information, we discussed biometrics in these earlier resources:  

Common Biometrics Technologies Used in the Workplace 

CCTV surveillance with facial recognition technologies and fingerprint scanning are two of the most common biometrics technologies we see used in the workplace in Australia.  

Anecdotally, we’ve also heard about increased use of productivity technologies that rely on biometrics throughout the pandemic – such as video sensors.  

Privacy Issues with Biometrics Used in the Workplace 

The significant risk that comes with the use of biometrics has led to European privacy authorities taking steps to curtail their use. An Italian health authority, for instance, was fined 30,000 Euros for its unlawful employee fingerprinting system. The privacy authority noted that it would be difficult, if not impossible, to obtain consent to collect biometrics in the employee-employer relationship given the power differential.  

When it comes to CCTV and facial recognition, the bloc is seriously considering an outright ban. You can read the European Parliament report on Regulating facial recognition in the EU for more detail. 

Evidently, the collection and storing of biometrics comes with significant risks. Two of the greatest risks (in order of significance) are:  

Employee Risk: Biometric Data Can’t Be Changed or Cancelled 

Data breaches that result in biometric data being stolen represents a significant risk to the individuals who have provided their biometric data. Unlike driver’s license and passport identifiers and telephone numbers or email addresses, biometric data cannot (easily) be changed.  

This means that individuals whose biometric data is stolen may face issues for the rest of their lives with securely using their biometrics for identification or authentication purposes.  

Employer Risk: Biometrics Complicate Workplace Compliance 

Biometrics are considered sensitive information under Australia’s federal Privacy Act. Employers who are covered by this legislation must consider the law before implementing any biometrics technologies.  

Where the biometrics are used for surveillance, there are state laws that apply. You can read our overview of CCTV surveillance privacy issues for more information.  

Given the legal risks, we urge employers to take the following steps before implementing any workplace technologies that collect, store, and use biometric data:  

  1. Consider whether there are less privacy-invasive solutions to whatever problem is being ‘solved’. If so, adopt those in preference of technologies that rely on biometric data. 
  2. Ensure the appropriate departments and leaders know and understand the privacy implications of implementing the biometrics technology. Decision makers should be fully aware of the risk when compared to the rewards and should address (and minimise) the risk using appropriate measures, including increased security and training of all employees.  
  3. Ensure employee-facing documents are easy to understand and clearly outline the rationale behind the introduction of the biometrics technologies, as well as the risks. Employees should be informed of the risk as well as their options, if there are alternatives.  
  4. Get consent before gathering biometric information from any of your employees.  
  5. Take steps to reduce the risk of ‘function creep’. Function creep (in the context of privacy) occurs where data which is collected for one purpose is used for another.  

If your organisation needs help navigating the legal or practical aspects of biometrics in the workplace, reach out. Our privacy team would love to help.  

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.