As a result of recent security breaches, large scale hacking and other cyber security threats in the workplace, there is increasing pressure on businesses to implement more secure systems which can help prevent these types of threats. In addition to increased surveillance and other security technology, there has also been an uptake in the number of businesses which are introducing biometric authentication methods and facial recognition technologies into the workplace to increase their security, ease of access and precise data collection.
In particular, many businesses are looking to biometric technology to improve their sign on systems and to add additional security measures to ensure the businesses’ confidential data and business intelligence is kept secure. However, because the collection of biometric data is an extremely sensitive topic, employers must follow the correct processes and ensure they are compliant with relevant legislation, before they implement biometric technology systems into the workplace.
This article will focus on biometrics in the workplace and will provide employers with an overview of the risks and rewards of implementing biometric technology into the workplace.
What Is Biometric Technology and How Is It Used in the Workplace?
To bring it back to basics, biometric technology is the collection and use of biological measurements, or physical characteristics, to identify individuals and verify their identity. Biometric technology includes the collection of biometric data including, but not limited to, facial recognition, iris scanning, hand scanning and fingerprint scanning.
Since biometric technology uses biological measurements and physical characteristics to identify individuals, the use of biometric technology is one of the most accurate and reliable forms of identification, which has made it very attractive to employers. The need for accurate forms of identification has become extremely relevant and necessary because of changes in the modern workplace, including, but not limited to:
- the increase in the use of multiple company devices, such as mobile phones, tablets and laptops;
- the move to cloud-based storage; and
- the shift to working from home and remote working models.
As a result of these changes, employees are often working in different locations, on multiple devices, and using different WIFI networks which inevitably increases the possibility of data breaches, leaks or hacks occurring.
In addition, the use of biometric data to record time and attendance provides employers with a far more accurate and instant method of ensuring that attendance records are correct. This is a significant benefit in helping businesses ensure they are compliant with the fairly onerous record keeping requirements in the Fair Work Act 2009 (Cth). It also significantly simplifies the ability of employers to ensure employees are being paid the correct wages, as there is far less room for confusion and debate as to when the employee worked.
However, the use of biometric data for the purposes of time and attendance and security does have an Orwellian feel and many employees feel as if they are just a cog in a machine.
Risks and Rewards of Using Biometric Technology
As a result, biometric technology introduces a solution to the risks of data breaches and leaks and has created more barriers to prevent hackers, or other non-authorised individuals, from accessing confidential information. Further, the use of biometric technology is also used to protect breaches which occur as a result of user error. As a result of businesses tightening their security, many organisations have required their employees to change their passwords on a regular basis and create long, and complex passwords which are hard to remember. However, this has resulted in individuals either repeating their passwords or use similar passwords for different organisations, which increases the risk of hacks and leaks occurring. As such, biometric technology presents a very secure and easy way for employees to log into company systems.
However, much like other forms of security and surveillance used in the workplace, the collection and use of biometric data raises important and relevant issues in relation to employees’ right to privacy in the workplace. The collection of biometric data by employers also raises concerns about how employees’ biometric data will be stored and whether it will be kept safely. As such, many employees are understandably concerned about the safekeeping of any of their biometric data which is collected by the business, because unlike passwords and a person’s contact information, biometrics are permanent and cannot be changed which makes the consequences of leaked or stolen biometric data much higher and longer lasting.
Legal Considerations
Since the collection and use of biometric data is an extremely sensitive topic, Australia’s legal system has put measures in place to address these concerns. Australia’s federal privacy legislation, the Privacy Act 1988 (Cth) (“Privacy Act”), protects the privacy of individuals and regulates how government agencies and large organisation handle personal information and sensitive information, which includes biometric data.
In particular, the Privacy Act sets out the Australian Privacy Principles (“APP”) which are legally binding principles which govern the use of personal information. The APP apply to personal information held by Australian government agencies and most Australian companies. The APP govern standards, rights, and obligations in relation to:
- the collection, use and disclosure of personal information;
- an organisation or agency’s governance and accountability;
- integrity and correction of personal information; and
- the rights of individuals to access their personal information.
As such, the APP requires businesses to follow certain protocols and to put measures in place which regulate how most employers collect, use and disclose employees’ personal information. In particular, the APP requires employers to notify the employees of the collection of their personal information. If biometric data is collected, under the APP employers also have a requirement to manage personal information in an open and transparent way and requires businesses to implement a clear and up to date privacy policy. Further, the APP requires businesses to take reasonable steps to protect personal information it holds from misuse, interference, loss, unauthorised access, or disclosure. These are only a few examples. For more information about the APP, please visit the Office of the Australian Information Commissioner’s website ‘Australian Privacy Principles | OAIC’.
If employers are thinking about using biometric data in the workplace, we encourage businesses to seek professional legal advice to ensure that they are compliant with all relevant legislation and that they have taken the correct steps, including implementing the correct processes and policies, prior to implementing biometric technology in the workplace.
Finally, we note that the change in culture that increased surveillance and the use of biometric data may engender should be carefully considered. We recommend that if employers wish to introduce the use of biometric data they do so in concert with a very clear and considered communication program.
For more information about the Privacy Act and the APP, please refer to our article titled ‘Biometric Data and Privacy in the Workplace’.
Key Takeaways
As such, employers should ensure that they are taking the correct steps before collecting, storing and using their employees’ biometric data. In particular, we suggest that employers take the following steps:
- Consult with employees;
- Create a properly considered communication strategy;
- Review applicable legislation;
- Understand the risks;
- Put measures in place to collect and safely store the biometric data including, but not limited to:
- implementing the correct measures;
- making sure systems are secure; and
- ensuring staff responsible for the biometric data is properly trained.
- Update company policies to reflect the data that is being collected and how it is being collected; and
- Seek professional legal advice.
If you require any assistance or information in relation to this alert, please do not hesitate to contact us.
This alert is not intended to constitute, and should not be treated as, legal advice.