More and more employers are making use of electronic systems for, amongst other things, security, tracking, time recording (timesheets, payroll etc) and access control. This involves employees registering their personal biometric information, such as fingerprints, palm prints or even a face scan with their employer to be able to be paid, or to access the workplace. A single fingerprint pressed on a scanner will record identity, time, date, and location, and integrate that information instantly into a time management system that controls security, and payroll record keeping, for example.
Biometrics can include:
- Fingerprints;
- Palm prints;
- Facial recognition; and
- Voiceprints.
There is no doubt that increasingly technological solutions to workplace issues such as access, will use more streamlined and innovative solutions, and that the prevalence of these systems will increase. Biometrics are linked to huge improvements in efficiency because systems can process fingerprints and facial recognition far faster than paper-based or even pin-code systems. Paper-based systems also come with an administrative load, converting those records into payroll or other digital records for use. Behind all of this, biometrics prevent time fraud through “buddy-clocking” or having to assume worked hours through missed log-ins or log-outs.
The use of fingerprint recognition systems in NZ has been settled as valid, since 2003. (Case Note 33623) [2003] NZPrivCmr 5 (1 February 2003).
Changes such as this to the traditional way of doing things can be confusing or even uncomfortable for employees. While many employees may not think twice about this, many others guard their privacy online and are struggling to reconcile giving away their personal or private information to anyone, including the idea of giving biometric information to their employers. There have been some questions raised as to the legitimacy of this, and the extent to which it can be required.
The main concerns for employees are, of course, identity theft and recognition errors. While most people trust the accuracy of fingerprints, significantly fewer trust facial recognition or voice recognition. As it becomes mainstream (e.g., eGate passport controls at airports, voice-activated telephone banking), this may change, but the transition will not be immediate, and the transition phase may present challenges for employers who are early adopters.
Firstly, the Privacy Commissioner has discussed these matters and has determined that:
- Biometrics CAN be used in the workplace;
- Biometric data can be collected for lawful and necessary purposes; and
- Employers must communicate properly.
The overriding concerns are compliance with the principles of privacy law, so it is very important to the fairness and legitimacy of the use of biometrics, that these are complied with. In general, biometric information must be used only for lawful and necessary purposes; the user must be notified; it must not be unnecessarily intrusive; it must be securely stored; people have a right to access their information and correct it if there are errors; it must be kept up to date; it must be kept for no longer than necessary; and there must be sound reasons for any disclosure of the information.
Significant factors in the lawfulness of the introduction and use of the technology are very important, and privacy and employment law overlap in the need for proactive and good faith communication with employees.
The decision of Fenson v KME Services NZ Pty Ltd (December 2019) in the Employment Relations Authority discusses some aspects of this issue. Fenson, the employee, refused to permit face scanning. He logged in by paper instead; and went about his job. As a result, his employer warned him and then dismissed him. The system had been newly implemented, and the rationale was administrative efficiency and employee tracking. Fenson himself indicated in discussions with his employer that he agreed with the need, but felt there were “less invasive” options, such as swipe cards, and that the introduction of the new system had not had sufficient consultation. He was warned that failure to follow the new processes would lead to warnings, and then termination.
The case did not address the validity of biometrics recognition itself (a fait accompli), but it addressed the flaws in the company process during implementation, and this is key. Biometrics CAN be used but a dispute against it will likely be upheld if the employer shortcuts proper processes around its implementation.
As a guideline, the minimum requirements are:
- Consultation and information sharing begin at the proposal stage, not at the implementation phase.
- Information shared must adequately and honestly address all privacy principles.
- Employee queries should be answered honestly especially where a system weakness is identified or queried. They cannot be glossed over, or superficially replied to. The answers also cannot be misleading either in what information they include or exclude.
- The reason must not be inconsistent (KME, for example, was using the system partly to monitor employees’ whereabouts in case of evacuations or emergencies but did not care if employees did not log in or out for short breaks during the day…).
- Privacy principles must be addressed and shown to be complied with.
If this article has raised any questions or concerns or you’d like to learn more about how we can help your business, please reach out to our workplace relations experts via our 24/7 HR Advice Line.