Key Points:

  • When fingerprint data is collected merely for attendance recording purposes, the privacy risk will likely exceed the benefits
  • Before installing biometric devices, employers must assess whether they are able to comply with data protection principles

Many companies have adopted advanced technologies in the workplace that have brought remarkable changes to practices and routines, but these changes also bring new concerns and potential legal problems.

For example, there is a growing trend of replacing the traditional time clock and basic electronic access cards with security systems that collect and store personal biometric data. These include fingerprint scanners, facial recognition systems and devices capable of identifying an individual’s voice or iris. When collecting this kind of data, companies must be careful to comply with China’s Personal Data (Privacy) Ordinance (PDPO).

A recent investigative report published by the Privacy Commissioner for Personal Data (the Commissioner) found that collecting an employee’s fingerprint to record attendance at work breached the PDPO. The complaint was brought by an employee of a furniture installation company. On the first day he reported for duty the company collected and recorded his fingerprint. The complaint alleged that the company had not informed him that it would collect his fingerprint when he accepted the employment offer.

The company had adopted a fingerprint recognition system (the System) to record staff attendance. The company’s explanation was that the use of the time clock could not prevent staff from punching time cards for one another, so it decided to use the System.

The company had collected the fingerprints of approximately 400 employees, and none had refused to cooperate. Apart from the System, no alternative for recording attendance was provided to the employees. The System only recorded the minimum data necessary to identify the staff member and record the time. After it was recorded, the fingerprint was converted into numerical codes that were then encrypted and recorded. Only the time records could be downloaded when the System was connected to the server. There was no output port, and the Company could not directly access or transfer fingerprint records from the System.

Although the company said that all staff had given their consent and provided fingerprints willingly, the Commissioner disagreed. The reasons were that, first, there was a disparity in bargaining power between the company and its employees, raising a presumption of undue influence. Second, the staff had not been given a choice about providing fingerprint data or offered an alternative. And third, the company had not presented a clear, balanced explanation enabling employees to make an informed decision.

The Commissioner also found that the System could ascertain the identity of staff from the fingerprint. Therefore, the fingerprint data collected satisfied the definition of personal data under the PDPO. The Commissioner commented that given its uniqueness and unchangeable nature, fingerprint data is sensitive personal data requiring extra care.

Data Protection Principle (DPP) 1 provides that personal data shall not be collected unless the data is collected for a lawful purpose directly related to a function or activity of the data user and the collection is necessary for or directly related to that purpose. DPP 2 provides that personal data shall be collected by means that are lawful and fair in the circumstances of the case.

These principles were tested, and the Commissioner found the steps taken were unnecessary and excessive. Consequently, a warning letter was issued, and the Commissioner ordered the company to stop collecting staffers’ fingerprints and destroy all existing fingerprint data immediately. As remedial action, the company has stopped collecting fingerprints, deleted existing data, installed a less intrusive password-based system and voluntarily destroyed all fingerprint data.

There may be cases in which similar systems or devices are appropriate – for instance, in jewelry shops that need to restrict access to certain areas for security reasons. Even so, the employer should explain the reasons for collecting this data and the issues relating to personal data privacy. Staff would still have to give genuine, informed and unambiguous consent before providing their fingerprints and should do so in line with a clear procedure. In all cases, the employee’s decision should be respected.

However, given that fingerprints and other biometric data are unique, there may be additional concerns, such as the risk of identity theft. Before deciding to install these devices, employers should carefully assess whether they are able to comply with data protection principles. In particular, they should note the limitation principle set out in the PDPO, which states that personal data must be collected for a lawful purpose directly related to a function or activity of the data user. Any data requested should be necessary but not excessive.

Employers should carefully assess whether the advantages of collecting fingerprint data exceed the disadvantages. The following, though not an exhaustive list, are some relevant factors for consideration:

  1. The number of employees affected;
  2. The period of retention of staff fingerprint data;
  3. The scope and extensiveness of the collection of fingerprint data (e.g., whether only applicable to high-security areas);
  4. The intended use of the data collected;
  5. The impact of the collection of fingerprint data on the employer-employee relationship;
  6. Whether current security measures are adequate to protect staff’s fingerprint data from loss or theft; and
  7. The extent of harm caused to staff in the event of data loss or improper handling.

Even if the collection can be legitimately justified, employers should implement sufficient privacy protective measures against potential loss of or unauthorized access to fingerprint data. When fingerprint data is collected merely for attendance recording purposes, the privacy risk will likely exceed the benefits. To act prudently, employers should consider less intrusive options.

According to the Privacy Commissioner, systems that do not collect personal data such as fingerprints are not within the jurisdiction of the PDPO or the Commissioner. One example is a fingerprint recognition system that converts certain features of the fingerprint into a unique value and stores it in a smart card held by the employee. For verification, the employee puts his finger and the smart card on the recognition system. In this way, the employer has not collected employees’ fingerprint data or the value, and therefore has not collected any personal data as defined in the PDPO.