Biometric Authentication at the Workplace: Risks and Legal Challenges

Biometric authentication is gaining popularity at the workplace, but it comes with data protection challenges. We explore the risks, the legal requirements, and the most important factors to consider before introducing biometric systems.

Biometric systems are increasingly used across the globe as more and more employers require biometric verification to unlock company devices or to allow access into restricted areas. By implementing a biometric system, security and fraud detection can be significantly improved in addition to cutting other security costs. However, it is important to be aware of the potential privacy impacts of such systems and to give due consideration to data protection requirements before their implementation.

1. What is biometric data?

Biometric data is created from the physical or behavioral characteristics of an individual. Biometrics are considered to be a “sensitive category of data” because they stem from the characteristics of a person. The scope of biometric data is quite wide; a biometric identifier can be a fingerprint, voiceprint, hand or ear geometry, retina or facial images.

2. What type of risks should employers consider before implementing biometric systems?

Unlike passwords, for example, it is impossible to change a biometric identifier, so its processing requires due diligence. Biometric data is considered to be one of the most authentic identifiers, therefore, unauthorized access to this data can open the door to serious misuse. Stolen biometric information can be used for identity theft, financial fraud or access to the employee’s private life, medical information, and so on. Accordingly, an employer must consider the methods of processing biometric data in order to ensure that such data is stored securely.

3. What are the rules under the EU’s General Data Protection RegulationOpens a new window (GDPR) for the processing of biometric data?

For the above reasons, the processing of biometric data can have a serious impact on data subjects’ private life. As a result, the GDPR introduced strict rules and conditions for its processing.

The GDPR introduces a specific meaning for biometric data. The definition of the GDPR covers biometric data only when processed through specific technical means allowing the unique identification of an individual. Under the GDPR, if the processing is done by an identification system, i.e. a system that is used to identify the person who presents at the reader, it is considered the processing of “special category of personal data” and is subject to restrictions under Article 9(1) GDPROpens a new window .

On the other hand, verification systems only confirm whether the biometric data of the person who is present at the reader matches with the stored biometrics. The European Commission has recently confirmed that if the verification system does not serve to uniquely identify a natural person, it is not considered a special category of data processing under Article 9 GDPR but the general principles and rules of the GDPR still apply.

Whether biometric data is processed for identification or verification purposes, the GDPR requires among others that the processing be lawful, fair and transparent, and limited to what is necessary in relation to the purposes for which they are processed. We summarised below the most important requirements an employer should keep in mind when processing such data.

4. What to consider before applying biometric system for verification purposes under the GDPR?

1. Data minimization

Data minimization is a fundamental principle of data protection regulations. The biometric data used for verification purposes must be adequate, relevant and limited to what is necessary in the specific context. It should be analyzed case-by-case, taking into account the relevant factors, for example:

• Whether the environment of the workplace requires high levels of security – are there areas that contain sensitive information or high-value goods?
• Are there less intrusive ways to achieve the intended purpose?
• Is this the most efficient system considering the administrative resources and costs involved?
• Is it justified by a legitimate business interest? (e.g. prevention of buddy punching)
   

2. Data Protection Impact Assessment

As outlined above, processing biometric data is likely to result in a high risk of data processing, therefore, carrying out a data protection impact assessment (DPIA) under Article 35 of the GDPR will probably be required before implementing a biometric system. Most EU member states even made it mandatory to carry out such an assessment prior to the processing of biometric data.

Within the framework of a DPIA, employers must identify the potential risks relating to data processing. Depending on the risks identified, special technical and organizational safeguards may be required to minimize the risk of a data breach. This could include storing encrypted images or only the encrypted partial data of biometrics instead of recognizable raw images or localizing the biometric data on employee-owned devices (such as their own magnetic cards) instead of storing them in a central database.

3. Sufficient legal basis

Processing personal dataOpens a new window must rest on a legal basis. While using biometric verification, two legal bases can be taken into account, consent or legitimate interest.

While it is questionable whether an employer can rely on freely given consent in an employer-employee relationship or not, consent would probably be considered a valid legal basis where the employee will not be penalized for refusing to use a biometric system or for choosing another identification/authentication method. For example, if an employee wants to use fingerprint identification instead of passwords to access his computer, his data may be processed lawfully on the basis of his consent.

In other cases, the employer’s legitimate interest may serve as a valid legal basis, for example, for working time recording. In these cases, the employer must conduct a legitimate interest assessment, which is a balancing test to decide whether the interests of the data processor (i.e. the employer) override the impact on the data subjects’ private life (i.e. the employee) or not.

It is important to keep in mind that where processing is done by an identification system, a specific condition under Article 9 will also need to be satisfied.

4. Transparency

Employers must ensure that they tell employees about their processing of employee data, including biometric data, in a clear and transparent manner. In the first decision under the GDPR regarding biometric data, the ICO, the data protection authority of the UK, clarifies some criteria under the transparency principle. According to the ICO, data subjects must be informed and provided with sufficiently clear information about using biometric verification, including whether such processing is obligatory or not, as well as the data subjects’ right to withdraw their consent to such processing at any time without disadvantageous consequences.

Key learning: use biometrics but with caution

While it may seem to be obvious to use biometrics at the workplace for certain purposes, there are a number of factors which need to be taken into account from a privacy perspective. Employers must act with caution and consider the requirements of the GDPR in addition to evolving national data protection rules.

Boglárka FekecsOpens a new window is a freshly graduated junior lawyer who has joined Tresorit to assist with data privacy issues. She wrote her dissertation about profiling under the GDPR and has a strong interest in data protection and privacy law. She supports the Tresorit team by conducting research on guidelines issued by EU bodies and national data protection authorities from different countries and keeping an eye on the latest news and regulations.