Biometrics in the workplace – practical, legal and ethical considerations.

By Peter Wilkins.

The term biometrics generally relates to the application of measurable physical characteristics of the human body. Originally, biometric scanners were confined to the realm of science fiction and spy stories. Today, this technology is commonplace in relation to security devices, in addition to common consumer devices and even children’s toys.

The Development Of Biometrics In The Workplace

Biometric techniques have long been used for security purposes. After all, such methods include matching a person to their photograph or relying on passport descriptions, such as: height; weight; colour of skin, hair and eyes; visible physical markings; and so on. However, as technology has developed, numerous electronic scanning devices have been implemented for security applications. These include:

  • Fingerprint, thumbprint and handprint scanners
  • Voice recognition recorders
  • Software that recognises keyboard keystroke dynamics, particularly in entering login details and passwords
  • Retinal scanners
  • Facial recognition systems.

More conventional forms of identification have often been subject to fraud and manipulation. For example, various card systems have proven to be extremely vulnerable, with forgeries of even the highest-integrity cards being available within a short period of the introduction of this technology. The use of biometric scanning systems has thus far proven to be one of the most effective and efficient forms of identification.

With the increase in availability of such equipment, more employers are utilising these devices within their access control systems. The implementation of biometric security equipment within the workplace, however, raises both legal and ethical concerns. For example, the use of fingerprints for identification has often been connected with the investigation of criminals by various law enforcement agencies. This use of biometric technology has therefore raised apprehension about a loss of dignity.

Questions arise as to the ability of an employer to compel staff to provide appropriate ‘samples’ to allow biometric systems to operate, and particular issues arise in relation to privacy and the security of this information.

Can An Employer Compel Staff To Provide Biometric Samples And Utilize Biometric Security Systems?

In much the same way as an employer can establish procedures in relation to staff being searched when departing from a workplace, protocols can be imposed upon staff to provide biometric samples and utilise the biometric security systems. These procedures are incorporated as conditions of employment and form part of the contractual arrangement between employer and employee. The failure of a staff member to comply with these directives could lead to disciplinary action and even dismissal.

In relation to other visitors to a workplace, the requirement to submit the personal information to allow the biometric measuring devices to operate becomes a condition of entry. Just as a crowd controller could refuse entry to an inappropriately dressed patron for failing to meet the dress-code requirements of a late-night venue, where a condition of entry requires biometric information to be supplied, security staff could similarly refuse entry to those who do not comply.

How Safe Is The Personal Biometric Information Recorded By An Employer?

Recent developments in privacy regulation afford individuals some degree of protection from abuse of personal information supplied for a particular purpose, but there are considerable gaps in this shield. Privacy legislation at Federal and State or Territory level does not comprehensively cover employers’ conduct in relation to employees’ records. Much of the legislative framework within this area focuses primarily upon the public sector. While workplace relations laws in some jurisdictions aid in resolving this fundamental flaw, the obligations of employers are not clear by any means.

The law of negligence affords employees further protection in relation to their personal information. Employers owe their employees and others a duty of care to take reasonable measures to avoid any foreseeable harm that could be caused by the employers’ acts or omissions. Therefore, if the release of personal information intentionally or recklessly were to cause a person harm, that individual would likely have a strong basis for civil action against the employer. In the interests of reducing liability, employers should take appropriate steps to ensure such data is stored safely and securely.

How Can An Employer Use Biometric Information?

Whether a visitor or employee, if personal information is provided to management for the purpose of meeting security requirements, it should be used for that purpose only. There is arguably a contractual agreement (which may even be detailed in writing within a contract of employment), between the person supplying the personal biometric information and the employer, that such information be used for this purpose only.

Nevertheless, in the past, numerous employers introduced surveillance cameras into the workplace with the stated intention of protecting both an employer’s physical property as well as staff themselves. Once an incident was captured by camera, that footage could be used as the basis for disciplinary or even criminal action against staff members who were engaged in misconduct. Where an employer is in lawful possession of biometric information that could assist a police inquiry, the police would usually be entitled to use that information to pursue their investigation.

In an attempt to establish guidelines and standards in relation to the protection and use of personal information, several industry codes have been developed. While some such codes are industry specific, the Biometric Industry Privacy Code addresses some of the key issues arising in the use of this relatively recent area. This code was approved by the Australian Privacy Commissioner, Karen Curtis, on 19th July 2006  and came into operation on 1st September 2006.

At present, however, this code is only binding on organisations that voluntarily agree to subscribe to it. A privacy complaint made against an organisation that volunteers to be bound by the code would be investigated by the Office of the Privacy Commissioner. It is worth noting that the privacy standards with this code exceed those set by the National Privacy Principles within the Privacy Act, particularly in relation to employee records, protection of biometric information and the right to request the removal of biometric information from a system. Further requirements under this code include compulsory audits of biometric systems and an obligation to assess privacy impact. Although this code has been registered on the Federal Register of Legislative Instruments and entered into the Privacy Commissioner’s register of approved privacy codes, its effect is still greatly limited with respect to organisations in the private sector.

Conclusion

It appears that technology in the field of biometric security and identification systems has developed at a more rapid pace than the laws that protect the persons potentially affected by this growing trend. The convenience and security that this form of technology affords employers will only see far greater implementation of such systems within both the private and public sectors.

The existing legislative and common-law framework provides some degree of defence from abuse and leakage of information provided, yet there are glaring gaps in the legal obligations of employers. This topic is nonetheless an important one for the Privacy Commissioner and various local and international privacy organisations, all of whom are actively pursuing stricter governmental control of this expanding area. There is no doubt that the foreseeable future will see significant developments in the regulatory regime regarding biometric security within the workplace.

Mr. Peter Wilkins is the Principal of Wilkins Lawyers, which specialises in security and firearms licensing issues as well as general criminal matters within Victoria. As a security trainer and consultant, he also provides expert evidence in relation to security issues.

Mr. Wilkins can be contacted at peterw@wilkinslawyers.com or on 03 9602 2662.

 

%d bloggers like this: