[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	Irish Data Protection Commission Case Studies
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Biometrics in the workplace - need for staff consent [2007] IEDPC 12 URL: http://www.bailii.org/ie/cases/IEDPC/2007/12.html Cite as: [2007] IEDPC 12

[New search] [Contents list] [Printable RTF version] [Help]

Biometrics in the workplace - need for staff consent [2007] IEDPC 12 (31 December 2007)


I received a number of complaints from staff employed at a logistics company in relation to the proposed introduction of a biometric system at that company for the purpose of time and attendance. These staff considered that their data protection rights would be infringed by being required to provide their employer with a fingerprint. The use of a biometric system impacts on several data protection principles including proportionality, fair obtaining, accuracy and security of personal data.

My Office commenced its investigation by contacting the company and referring it to the extensive guidelines on our website in relation to biometrics in the workplace. During our investigation, a meeting was held with a representative of the company to discuss the matter. In a privacy impact assessment, the company outlined its reasons for the introduction of the biometric system as health and safety, security, administration and cost effectiveness. It also provided details of the type of biometric system it intended to use - a touch verification system. The system requires a fingertip to be inserted into a reader which converts the fingertip into an encrypted algorithm and then the employee enters their unique pin number onto a pad. The system then stores a numeric sequence on a central database. It was claimed that the numeric sequence cannot be reversed or used for any other purpose except for verification and it is also encrypted.

The company also stated that it had looked into other forms of recording time and attendance and found that the biometric system would be the most efficient and cost effective. It also said that other systems could possibly be open to abuse. It stated that it had, in the past, experienced problems regarding abuse in relation to recording attendance. It also assured my Office that all employees, except for the staff who complained to my Office, had consented to the use of the touch verification system. The company said that it had held information sessions in each of its company branches and that written documentation and training had been given to all employees. Any employees who had objections to the system or wanted more information were also invited to address these with management. It also confirmed that the staff who complained to my Office had not been required to start using the system.

The approach of my Office is to try to understand the circumstances that lead a particular data controller to introduce a biometric system using the personal data of its employees, bearing in mind that the scan of a fingerprint is personal data even if converted into an algorithm. My Office reviewed the privacy impact assessment submitted in this case and the company's responses to our queries. Taking into account the company's cooperation in the matter, it was agreed that the staff concerned should use a pin code system rather than the biometric system for recording time and attendance. This would not give rise to any issues under the Data Protection Acts. Furthermore, these staff would not be required to use the biometric system in the future, without the company first taking the matter up with my Office. On that basis, I was happy to conclude the matter given that the issues raised by the individuals who made the complaints to my Office had been addressed. I was satisfied that the company had not breached the data protection rights of those staff as it had not required them to use the biometric system against their wishes.