It’s therefore unsurprising that employers are increasingly turning to biometric authentication, or the use of an employee’s physical characteristics to help identify people in the workplace.
Biometric data offers unique and attractive characteristics for employers as it is difficult and expensive to hack. So for those seeking to improve security and strengthen their attendance monitoring, technologies such as fingerprint and facial recognition are seen as something of a silver bullet.
But the use of biometrics in the workplace raises a number of thorny issues for both employers and workers alike.
Currently, workplace surveillance and privacy are governed by a patchwork of laws with some gaping holes. Protections and rights vary from state to state with overarching federal privacy principles that can be vague when it comes to employment.
In a recent case before the Fair Work Commission, the right of an employee to refuse to provide his biometric data through the scanning of fingerprints was tested.
In its initial decision, the commission found in favour of the employer upholding the employee’s dismissal for refusing to provide their biometric data to be used in company-wide safety and security upgrades. Surprisingly, at first instance, this action was not found not be harsh, unjust or unreasonable and was therefore lawful under the act.
A right to appeal was upheld in the matter, and as we saw in the commission, these technologies raise a number legal issues around violation of privacy and concerns about information security. These fears are rooted in privacy concerns as well as justifiable concerns around ‘function creep’ – or that data recorded for one purpose in the workplace being used for another, such as law enforcement or targeted advertising.
A recent report into the use of biometric technology conducted by the UK House of Commons found that for employees, being asked to provide fingerprint or facial data by an employer feels more intrusive than giving the same information to a bank or multinational company like Apple. I suspect that this boils down to the fact that employees feel they are left with little choice in the matter if they wish to keep their jobs.
Biometrics, which has its origins in the theory of fingerprinting that emerged in the late 1880’s, has only been adopted in the workplace in the past couple of decades due to significant advances in computer technology. The US was an early adopter of the technology and has had a number of high profile cases, primarily in relation to the failure to obtain employee consent or provide information on how the data collected would be stored or used.
My Health Record highlighted a number of the public concerns about privacy and data security in Australia. It seems we don’t even trust our own government to keep this information secure. Even when there was an obvious benefit to participation many members of the public have chosen not to provide their private information.
Clearly when dealing with an employer-employee relationship, the situation is highly problematic because of the power imbalance that exists. Free consent is only give where there are no consequences that flow from acceptance or rejection of an offer.
So what’s the solution?
There is currently no legal framework to deal with this issue that addresses the need for privacy/ the rights of employees
One solution may be to follow the European model, or what’s happening in the US.
Under EU law, the General Data Protection Regulation or GDPR, provides that if an employer collects your fingerprint, they are legally obligated to secure the data and destroy it upon request when it is no longer required. This law went into effect in May 2018, and violations can result in huge fines to the violating company or organisation, up to the greater of 20 million euro or 4 per cent of their annual global operating revenue.
Section 1051 of the California Labour Code prohibits Californian employers from obtaining fingerprints or photographs of employees and sharing this information with a third party. This means that vendors providing fingerprint scanners or other technology must be prevented from accessing the biometric information. It’s worth noting that in the Superior Woods matter the biometric data was stored on servers located off-site in space leased by a third party.
In a law passed in Illinois in 2008, there is a requirement that anyone collecting biometric information must comply with strict notification and consent requirements, including written pretermission. There is also the requirement that biometric data is destroyed when the purpose of collection ends and the data is securely stored.
Clearly there needs to better consistency in Australia on collection of data and workplace surveillance. But in gaining that consistency, the human rights of employees to privacy shouldn’t be obliterated by going for the lowest common denominator of privacy protection. Whether that will happen remains to be seen.
Giri Sivaraman is a principal at Maurice Blackburn Lawyers.