Are fingerprint and face-scanning time clocks legal?
Authored by Mar 19, 2019-
See also Privacy.org.nz: Can we use fingerprint scanning of employees?
In the 1960's, the FBI introduced the first automated biometric devices, designed to check fingerprints to maintain criminal records.
It should come as no surprise that since first introduced, the use of biometric devices has reached into many aspects of society. In 2020, over 1 Billion¹ ² mobile phone devices shipped around the world with fingerprint sensors. Of the roughly 30%¹ that didn't include a fingerprint sensor, 100% included facial recognition potential.
Should we be surprised then that even today, many employees are wary of 'big brother', sometimes their bosses, other times non-associated organisations, requiring the daily submission of fingerprints or other biometric data through increasingly cheap appliances?
Let me ask you this: When was the last time you requested your employees to enter their credit card number, to clock into work? Do you think they'd be comfortable with that?
Any such personal information supplied by an employee would naturally begin a thought-process of questions, such as:
- Why does my employer want such details?
- What will my employer do with this information?
- Can I trust the security in place to protect my data against hackers, other employees within the organisation, or the supplier of the system themselves?
- Would using some other identification factor hinder my ability to clock in to work, as an honest employee?
- Is my integrity being questioned, or monitored, by my employer?
And we haven't even begun to scratch the surface. Many businesses, particularly smaller organisations, are unaware that there are significant compliance requirements associated with implementing biometric time and attendance systems
But, are biometric time clocks illegal?
The short answer is: seek clarity from your lawyer and local payroll legislator, as well as local employment authority.
In some places, in part or in full, biometric technology has been made illegal. For example, San Francisco city has banned the use of facial recognition technology within their public service organisations. In Illinois, October 2003, the Biometric Information Privacy Act (BIPA) was passed, guarding against the unlawful collection and storing of biometric information. Since then a wave of lawsuits have ensued, and Washington and Texas have since passed similar laws³.
Elsewhere, in New Zealand, the Privacy Commissioner states that:
"If you want to collect any kind of biometric information (for instance, fingerprints or facial scans), you need to make sure that you have a lawful purpose for collecting this information and that the collection is necessary for that purpose."⁴
The New Zealand Privacy Commissioner also says:
"You should also keep in mind that, once you collect biometric information, a range of other obligations under the Privacy Act will apply (including obligations about security, accuracy, retention, use and disclosure, and in terms of providing individuals with their rights to access and request correction of the information)."
"Security of biometric information is particularly important, given that, if there is some kind of data breach and the information is lost or stolen, there is very little the individual can do to change things (unlike, say, where someone’s credit card information is hacked and they can just change accounts). For a real life example of this problem, check out our blog on the 2015 OPM data breach
In summary, the best thing you can do before implementing a biometric time clock system would ask yourself the question: "does our company need this to function, at an adequate level". If the answer is yes for example if buddy-punching is known to be rife within your industry, then we recommend consulting with a legal entity proficient in Human Resources, and also engaging with an I.T. security company to test and approve the systems you intend to purchase.
Whilst we have considered the option in the past to develop a biometric option, we have thus far decided that A) Fingerprint readers and facial recognition is often unreliable, B) the simplicity of a swipe-card system means we can keep compliance costs low [for the customer] and systems interchangeable i.e. employees can scan cards with mobile phones and mounted units, regardless of which model of phone they have or the environmental conditions they're working in.
Contact us if you'd like to find out more about our time clock system for online timesheets and job hours, with both mobile and mounted options interchangeable.
Statista - Penetration of smartphones with fingerprint sensors worldwide from 2014 to 2018
Statista - Number of smartphones sold to end users worldwide from 2007 to 2020
Wikipedia - Biometric Information Privacy Act
Privacy Commissioner, New Zealand - Can we collect biometric information?