Biometrics in the workplace: what about consent and legitimate interest?

One of the most common corporate use cases of biometric technology is for access control – whether ensuring physical security or securing access to IT infrastructure.

Some may argue that from a privacy perspective, the use of biometrics in the workplace is excessive. However, with identity and access management (IAM) spending increasing and biometrics forming a significant part of that, we will likely see more use of these technologies as countermeasures to address risks that call for stronger access controls.

I recently came across a scenario that raised privacy questions regarding the use of biometrics in an employment context.

This particular organization employs biometric access controls as part of an integrated physical security system. In addition to serving the purpose of restricting unauthorized entry to their facilities, the system also provides a time-keeping function which, when integrated with labor management systems, provides data for monthly payroll calculations.

The main concern revolved around which lawful basis (under the General Data Protection Regulation (GDPR)) the organization could rely on for processing employee biometric data. Was employee consent an option or was there a case for processing as necessary for the purpose of legitimate interest?

What does the GDPR say about biometric data processing?

Biometric data is one of the “special categories of personal data” discussed within the GDPR.

Article 4 (14) captures the GDPR definition of biometric data. However, Article 9 goes further to summarize that: “…the processing of…biometric data for the purpose of uniquely identifying a natural person…shall be prohibited.”

However, for the purpose of this discussion, two relevant exceptions apply: processing carried out

• with the explicit consent of the data subject (Article 9 (2a)); and
• for the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment (Article 9 (2b)).

The problem with consent in an employer/employee context

Consent as a lawful basis for employer processing of biometric data is a contentious issue.

Whether captured actively (e.g., where the data subject is instructed to present a physical attribute) or passively (e.g., behavioral characteristics captured in the normal course of activity of the data subject), if the data can be used to uniquely identify a natural person, then the GDPR restrictions on processing biometric data apply.

The main contention is whether in an employment context the employee can freely exercise their “fundamental rights and freedoms”; for example, their right to object to processing of their biometric data?

In the scenario described earlier, there is a tenuous argument that employees gave “consent” when they signed agreements, which required them to abide by company policies, including observing security policies and recording their work hours.

Stretching that argument to its limits, one could also posit that by actively providing a thumbprint or a retina scan, the employee is affirming their consent to the processing of their data.

However, given the imbalance of power in an employer/employee relationship, consent is not considered to be a reliable lawful basis for processing and those arguments do not stand up to scrutiny.

For consent to be a lawful basis for processing, it would have to be explicitly obtained. The data controller would also need to grant data subjects the freedom to exercise their rights, including the right to withdraw such consent without repercussions (see Article 7).

To further guarantee the rights of the data subject, the organisation would have to provide employees who object to biometric data processing with an alternative system that is equally as convenient to use as the original one and for which the objecting employees will not be penalized for using.

This is clearly a prohibitive option for most organizations.

What about the rights of the data controller?

Consent is not the only lawful basis for processing personal data.

According to the UK Information Commissioner’s Office: “In order to lawfully process special category data, [the data controller] must identify both a lawful basis under [GDPR] Article 6 and a separate condition for processing special category data under Article 9.”

The organization in the above scenario has chosen to rely on legitimate interest (protection of property and fraud prevention) as their lawful basis for processing biometric data.

They argue that their position is supported by recital 52 of the GDPR which states that ”Derogating from the prohibition on processing special categories of personal data should also be allowed…where it is in the public interest to do so, in particular processing personal data in the field of employment law…” Article 88 appears to further buttress this position.

Article 9 (2b) provides some wiggle room in that legitimate interest can be relied upon as a lawful basis for biometric data processing only “in so far as it relates to specific rights authorised by Union or Member State law.”

Member State laws (in the case of the UK, the Data Protection Bill) may eventually clarify which “specific rights” will be authorized with regard to biometric data processing in the workplace. Until then, in order to arrive at an informed position regarding the use of legitimate interest as a lawful basis in this situation, it is imperative to consider both employment law as well as data protection law.

In future, Member State laws may also introduce specific processing requirements which may allow data controllers to adapt the rules of the GDPR to meet particular situations.

Organisations relying on legitimate interest for processing biometric data may also want to engage Works Councils (or their equivalent) to clarify the processing activity, seek the views of the data subjects and obtain a collective agreement to proceed.

Ensuring privacy-by-design in workplace biometric systems

Organizations planning to deploy biometrics in the workplace for any use case should always seek to protect the fundamental rights and freedoms of employees to privacy.

During systems planning and design, the case for using biometric data for access control should be weighed against the risk as well as other options that could achieve similar business objectives.

Other useful considerations to ensure privacy-by-design include:

• Conducting a data protection impact assessment to identify the risks arising from the nature, scope, context and purpose of processing (see Recital 90).
• Conducting a legitimate interest assessment.
• Developing privacy statements which clearly describe the nature and purpose of processing, collection, ongoing use, retention, security, transfer and disposal of biometric data.
• Applying privacy-by-design and privacy-by-default principles including the localisation of biometric data in employee owned devices or on-premise infrastructure or storing only hashes of such data.
• Assessing the risk of using biometric identity as a service (BIDaaS) providers.
• Applying privacy enhancing techniques including pseudonymisation, anonymization and encryption.
• Defining retention policies which clearly state how long data will be stored for.
• Implementing appropriate safeguards to ensure the confidentiality, integrity and availability of biometric data and systems.

Summary

Further clarification regarding processing of biometric data by employers is expected from EU regulators. For example, the UK Data Protection Bill suggests that additional conditions and safeguards for the processing of special categories of data may be introduced.

For additional guidance, see also:

• Article 29 Working Party Opinion on Data Processing at Work (download) in relation to GDPR.
• Biometrics in the workplace by the Irish Data Protection Commissioner.