Companies that deploy security systems which require employee biometric data, such as fingerprints, to validate and record access to restricted areas must consider how they will process this data in order to be compliant with the GDPR when it comes into force in May 2018.
In order to be legally compliant with data protection law, an employer must have a “lawful basis” or justifiable reason to process an employee’s personal data. As required under the current data protection regime, and in the GDPR, these reasons could include:
- employee consent
- where the processing is necessary for the performance of a contract to which the data subject has agreed to
- for compliance with an employer's legal obligation
- where the processing is necessary for the purposes of legitimate interests pursued by the employer
- in the public interest
Even under current data protection law, consent has not been a reliable basis on which to legally legitimise data processing in the context of employment. According to recent guidance from the Article 29 Working Party, employees are rarely in a position to freely give, refuse or revoke consent. This is because of the imbalance of power between employee and employer. Employees can only give ‘free’ consent in rare circumstances, those being when no consequences at all are connected to an acceptance or rejection of an offer.
For this reason, an employer may be on unstable legal ground if relying on general employee consent. It may be difficult to show that their employee was able to freelyconsent to the use and processing of their data.
If an employer were to offer a biometric system as an option for access rather than requiring the employee to use it, consent might be considered as being freely given. However allowing employees to ‘opt out’ of the use of the biometric system goes against the practical reasons for secure access in the first place.
Under the current data protection regime, an employer’s legitimate interests can be cited as a legal ground to process an employee’s biometric data. For example, if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity. In this situation, an employer must conduct a proportionality test prior to deploying any monitoring tool. As part of the test, the employer should consider:
- if all data are necessary
- whether this processing outweighs the general privacy rights that employees also have in the workplace
- what measures must be taken to ensure that infringements on the right to private life and the right to secrecy of communications are limited to the minimum necessary
What is acceptable in one case may not be in another and an employer seeking to rely upon this ground must always take into account the potential effect on employee privacy rights.
Limited scope under GDPR
Unlike under the current data protection regime, biometric data is considered to be a special category of personal data under the GDPR. Processing of special categories of personal data is prohibited unless an ‘exception’ applies. Explicit consent given by the data subject to process their biometric data is one of these ‘exceptions’. Legitimate interests are not available as an exception to this prohibition.
However, in light of the stricter consent obligations under the GDPR and recent Article 29 Working Party guidance discussed above, an employer should seek alternative bases to explicit consent to process its employees’ biometric data. Once the GDPR is implemented, employers will be unable to rely upon legitimate interests to process biometric data of employees.
Accordingly, employers must rely upon another legal basis in order to use biometric data for secure access to their place of employment.
Unless an employer can make a legitimate argument that it is processing biometric data for the vital interests of its employee, or is doing so in the public interest, no other alternative basis is currently available.
Article 9.4 of the GDPR does permit Member States to maintain or introduce further conditions, including limitations to the processing of biometric data. The Irish legislation, as currently drafted, allows for the processing of biometric data for identification and security purposes, subject to appropriate safeguards. Article 88 of the GDPR also provides scope for Ireland to introduce more specific rules regarding the processing of personal data in the employment context.
Legislators will continue to flesh these sections out and issue further interpretative guidance in 2018. For now, employers should exercise caution when deploying these systems. They will need to consider other less invasive methods to ensuring secure employee access to their place of employment come 25 May 2018.