A recent investigation report published by the Privacy Commissioner for Personal Data (the "Commissioner") found that collecting an employee's fingerprint to record the employee's attendance at work breached the Personal Data (Privacy) Ordinance ("PDPO").
There has been an increasing trend of employers using technology to collect biometric data of employees in order to achieve efficient and effective human resources management. Caution should be taken when collecting this kind of data, to comply with the PDPO.
The Complainant was employed by the Company as a furniture installer. On the first day he reported for duty the Company collected and recorded his fingerprint. The Complainant alleged that the Company had not informed him that they would need to collect his fingerprint when he accepted the employment offer.
The Company had adopted a fingerprint recognition system (the "System") in 2005 for the purpose of recording staff attendance. The Company explained that as the use of time clock could not eliminate the practice of punching time cards for one another among its staff, after balancing different factors, it decided to use the System.
The Company had collected fingerprints of about 400 of its staff and no staff member had ever refused to provide their fingerprint. Apart from the System, no alternative for recording attendance was provided to the Company's staff. The Company confirmed that the System was not used for security purposes. The System only recorded the minimum necessary to identify the staff member and record the time. The fingerprint once recorded is converted into numerical codes which would then be encrypted and recorded. Only the time records could be downloaded whenever the System was connected to the server. There was no output port and the Company could not directly access or transfer the fingerprint records from the System. The Privacy Commissioner for Personal Data investigated the complaint.
The Commissioner found that the System could ascertain the identity of staff from the fingerprint. Therefore, the fingerprint data collected satisfied the definition of personal data under the PDPO. The Commissioner commented that given its uniqueness and unchangeable nature, fingerprint data are sensitive personal data and extra care is needed when handling fingerprint data.
Data Protection Principle 1 ("DPP1") provides, among other things, that personal data shall not be collected unless the data is collected for a lawful purpose directly related to a function or activity of the data user and the collection of the data is necessary for or directly related to that purpose. DPP2 provides that personal data shall be collected by means which are lawful and fair in the circumstances of the case.
The Commissioner found that collection of the complainant's fingerprint for attendance recording purposes was excessive and contravened DPP1(1). The Commissioner found that the System was privacy intrusive and had an adverse impact on personal data privacy. The Commissioner made the following findings:
- the Company's offices/shops were not high security or sensitive places which require a fingerprint recognition system to identify visitors (indeed, the Company acknowledged that the System was not used for security purposes)
- the number of data subjects involved in this case was considerable and would accumulate overtime
- the Commissioner found that as the Company could not provide confirmation that it had taken appropriate security measures, there was a likelihood of accidental access and abuse of staff data
- the Company did not tell its staff whether the whole or partial images of the fingerprints were collected by the System and did not inform them of the classes of persons to whom the data may be transferred
- the Commissioner found that a statement that "all fingerprint records will be handled according to the Privacy Ordinance and will not be leaked" in the Company's employees' code of practice was not enough and that the Company should also inform its staff of the measures taken to safeguard fingerprint data against abuse or improper handling.
The Commissioner found that the System offered the option of using a password for identification. The Commissioner found that for the purpose of recording attendance, the collection of an employee's fingerprint data by the Company was unnecessary and excessive, and the Company contravened DPP1(1).
In relation to the DPP1(2), the Commissioner said it is obvious that collection of an employee's fingerprint data is a lawful act, but questioned whether it is fair. The Commissioner considered collection to be unfair if a data subject is obliged to consent under undue pressure, undue influence or threat. The Commissioner considered that he needed to consider if the data user had provided any information to let the data subjects clearly understand the possible impact of collection of their fingerprint data (including any adverse impact) and whether the data subjects are provided with other less privacy intrusive options in order to make an informed decision.
The Commissioner noted the disparity in bargaining power between the employer and the employees. He noted it as obvious that if staff did not cooperate in using the System for recording their attendance, they might be dismissed immediately. The Commissioner found that staff members were under undue pressure and threat if they objected to using the System.
The Commissioner issued an enforcement notice on the Company directing it to cease collecting staff fingerprint data (unless prior express consent was given voluntarily by the staff member) and immediately destroy all fingerprint data collected.
Upon receipt of the enforcement notice, the Company confirmed to the Commissioner that it had stopped collecting its staff's fingerprint data and substituted passwords for fingerprints for reporting attendance. The Company also confirmed that the fingerprint data in the System had been destroyed.
Employers are advised to carry out assessment to determine whether the collection of sensitive personal data such as fingerprints is in compliance with the requirements of the PDPO. Even if the collection can be legitimately justified, employers should implement sufficient privacy protective measures against any potential leakage of or unauthorized access to the fingerprint data.
The Government has published a "Consultation Document on Review of the Personal Data (Privacy) Ordinance" to invite public views on proposals to amend the PDPO. One of the major proposals relates to sensitive personal data, namely, should the Government subject sensitive personal data, such as fingerprints, to more stringent regulation?
Publications of the Commissioner are available at http://www.pcpd.org.hk/.
For inquiries related to this Client Alert, please contact:
Duncan Abate (firstname.lastname@example.org)
Hong Tran (email@example.com)