Is collection of employee biometric data in the workplace legal in Hong Kong? The government is cracking down, say Hong Kong lawyers
The use of biometric data — such as DNA samples, fingerprints, palm veins, hand geometry, iris, retina and facial images — has become a feature of the contemporary workplace in a relatively short space of time, and there are concerns that the law has failed to keep up with technology and protect employees.
But, after a recent investigation of an employer’s use of fingerprint recognition technology, the Office of the Privacy Commissioner for Personal Data (PCPD) has criticised that practice, in part because it observed that the data collection cannot be fair if employers fail to get staff consent. The PCPD has released a guidance note to those collecting biometric data to comply with the Personal data (Privacy) Ordinance (PDPO).
The PCPD investigated a high-end fashion trading company that had installed fingerprint recognition devices in the workplace for security purposes and to record staff attendance.
The PCPD concluded that the use of these devices breached data privacy principles of the PDPO.
Under the ordinance, personal data cannot be collected unless the data is related to a necessary function or activity of the data user.
In this case, the fingerprint collection was neither a necessary nor effective means of securing the premises, as CCTV cameras, digital locks and other measures had already been implemented to prevent unauthorised entry and detect theft. Similarly, less intrusive options were available for recording staff attendance,
The PDPO also states that personal data must be collected by means that are lawful and fair in the circumstances.
The PCPD concluded that the fingerprint data in this case was not collected in a fair way, largely because of the absence of free and informed consent.
Interestingly, with limited exceptions, the PDPO does not expressly require employee consent for the collection of personal data — it only requires notification of prescribed information before data is collected or used.
In this case, however, due to the nature of the data and the potential consequences of data loss or mishandling, the PCPD suggested that collection could only be considered fair if employees gave free and informed consent. Consent could only be given if employees were adequately informed of the form in which data would be collected, how the technology works, the privacy risks associated with its use and other relevant information on how the data would be handled. Employees should also be given other alternatives
Why is biometric data different?
Fingerprint data is a form of biometric data that has traditionally been used as an identification tool for controlling access to highly sensitive areas, for example during criminal investigations and for immigration control.
The PCPD warns that, as fingerprint and other biometric technologies become readily available and more commonly used, data protection and privacy must not be compromised. If not handled properly, the collection of biometric data can pose serious risks to personal privacy and contribute to identity theft, security breaches or even discrimination arising from assumptions based on gender, ethnicity or medical conditions that data may reveal.
In light of these risks, the PCPD appears to be interpreting the requirements of the PDPO more strictly when considering the use of biometric data.
Before collecting biometric or other highly sensitive data, employers should conduct a privacy impact assessment to determine whether the collection of that data is necessary, and review the availability of less intrusive options.
Where an employer is satisfied that the collection of biometric data (or similarly sensitive data) is justified, they should ensure that appropriate procedural and technological safeguards are used to prevent unauthorised access to, and use of, the data.
They should also ensure that employees are informed fully of the reasons for collection and the way in which the data will be handled. Employees should also be given alternatives, so that they can give genuine and informed consent.
This article appeared in the Classified Post print edition as Is collection of biometric data legal?