Employers are beginning to see the potential benefits of using biometric systems, such as facial recognition and fingerprint access systems, in the workplace. These include enhancing security (such as reducing access to a restricted area), ensuring efficiency (such as eliminating the need for passwords, keys, cards) and monitoring employee wellbeing and performance (such as tracking activity, productivity or stress levels).

However, given the nature of biometric data and the sensitivities around its use and importantly, its potential misuse, there are significant challenges to overcome when using biometric systems in the workplace.

Here are five top tips to help Hong Kong employers navigate this complex landscape:

1. Comply with the data protection requirements 

The use and collection of biometric data is regulated by the Personal Data (Privacy) Ordinance if such data directly or indirectly relates to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained. Employers should familiarise themselves and comply with the Ordinance and the guidance notes issued by the Privacy Commissioner from time to time. 

The Ordinance is principle-based. According to data protection principle (1), the collection of biometric data must be for a lawful purpose related directly to its function and activity. The collection of biometric data must not be excessive for achieving such purpose. Data protection principle (3) prevents employers from using biometric data for a new purpose without the express and voluntary consent of the employee. For instance, DNA samples taken for an annual health check-up as part of an employer’s medical benefits should not then be used to assess employees’ long-term employability without their consent. 

A Hong Kong school hit the headlines a few years ago when it installed a facial recognition camera at the school entrance for recording staff attendance and security purpose. The biometric data was collected without the staff’s knowledge. The Privacy Commissioner found the collection of biometric data to be excessive for the intended purposes. The school already had a CCTV system and a security guard at the entrance of the school for security purpose. Teachers were already using access cards to record their attendance. If the school wanted to enhance security and monitor attendance, it should have considered less intrusive alternatives to biometric data collection. This case highlights the importance of exploring less privacy intrusive alternatives before resorting to collecting and using biometric data. 

2. Conduct a Privacy Impact Assessment (PIA)

Employers are recommended to conduct a thorough Privacy Impact Assessment before collecting and using biometric data. A PIA is a systematic process that evaluates a proposal in terms of its impact on personal data privacy.

A PIA should:

1. Evaluate the necessity and proportionality of using biometric data; 
2. Consider less privacy intrusive alternatives; and 
3. Consider whose biometric data should and could be collected.  

Regular reviews of the PIA can help ensure ongoing compliance and address any emerging issues.

3. Manage biometric data 

The precision and accuracy of biometric technologies greatly vary and may not be always reliable. For example, some are probabilistic and only able to identify a “likely” match in the database. Data inaccuracies may lead to serious consequences. For example, if biometric data is collected for the purposes of recording attendance, any data inaccuracies might cause the employer to mistakenly believe that an employee was absent from work, potentially leading to disciplinary action or even the termination of the employee’s employment. 

Employers should therefore take all reasonable steps to ensure that the biometric data held by them is accurate and allow human intervention in the automatic decision-making processes.  Employers should also regularly review the data held by them and delete any data that is no longer needed. Retaining data that is no longer required increases security risks and is in contravention of data protection principle (2), which requires data users to take all practicable steps to ensure that personal data is accurate and is not kept longer than is necessary for the fulfilment of the purpose for which the data is used. 

4. Build trust and be transparent 

The special relationship between employers and employees, marked by a clear imbalance of bargaining power, gives rise to a rebuttable suggestion that undue influence might be exerted upon employees when an employer uses their biometric data. Employers are encouraged to devise clear privacy policies and procedures, explaining why, how, what, where and when the company uses biometric data. The privacy policies and procedures should be communicated and made easily accessible to all employees. 

Providing detailed information about biometric data usage empowers employees to make informed decisions. Employees can understand the benefits and potential risks, which helps them feel more in control of their personal information. When employees know that their data is being handled responsibly and securely, it helps addresses the concerns and fears they might have.

A company in Hong Kong used a fingerprint reader system to collect fingerprint data of employees for the purposes of monitoring their time-and-attendance and ensuring office security. The company however failed to provide the employees with the option of choosing whether they wanted to give their fingerprint data or not. The employer did not explain to the employees the purposes of collection and the availability of alternatives such as access cards. This prevented employees from making an informed decision on whether they should supply their biometric data to the company and had an adverse impact on their data privacy. 

5. Implement strong security measures

Unlike passwords or PINs, which can be changed or replaced, biometric data once comprised remains compromised. Employers should take all reasonably practicable steps to ensure that the biometric data is protected against unauthorised or accidental access, processing, erasure, loss or use. This may include encryption, access controls, and regular security audits. Access to biometric data should be on a need-to-know basis only. Authorised personnel should receive training on the use and collection of biometric data. With a notable increase in cyberattacks, employers should also regularly review and update their security measures to address new technological threats. 

By following these tips, employers in Hong Kong can effectively use biometric data while respecting employee privacy and complying with the Ordinance. This approach not only enhances workplace security and efficiency but also builds trust and transparency with employees.

Should you have any questions about using biometrics in the workplace or would like to keep up-to-date with developments in this area, please get in touch with our team.