Privacy Decisions: Biometric Data
What do nursing homes and nightclubs have in common? In these 2 decisions, they both collect biometric data on their employees.
Biometric data can be anything that records “measurable characteristics” of an individual – from thumbprints to voice-prints to DNA. Organizations will collect and use this data with greater frequency as tracking technology becomes less costly and more reliable. So what do privacy laws say about this kind of information?
Two recent decisions from the Information & Privacy Commissioner of Alberta tackle biometric data collection issues head-on.
In Report of an investigation on the use of a hand recognition system, (August 7, 2008) the Commissioner investigated a nursing home in Calgary. The nursing home phased out employee swipe-cards, and introduced a hand-scanner as a way of tracking employee arrival and departure. The Commissioner decided that hand-scan data (measurements of a person’s hand to generate a unique identifier) does qualify as “personal information” under the Freedom of Information and Protection of Privacy Act (FOIPPA), and that the employer’s collection practices did not meet the requirements of that Act.
In Report of an Investigation into the Collection and Use of Personal Information, (August 27, 2008) the Commissioner looked into a complaint by an employee of an Edmonton nightclub, who was obliged to use a thumbprint sign-in system at the beginning of every shift. This time, the Commissioner made its analysis under the Personal Information Protection Act (PIPA) since the employer was a private sector organization. The employer did not collect thumb-prints but rather “unique numeric identifiers which represent distinct attributes of thumbprints” – a difference that should have been made clear to employees. This data qualified as “personal information” within the meaning of that Act, and in this case, by failing to explain its privacy policy, and thereby failing to obtain informed consent, the employer did not meet the requirements of PIPA.
The lessons for business? In both cases, the employers stumbled, but not on the type of data collected – the Commissioner accepted the employers’ argument that biometric data collection was reasonable and justified – but rather the employers both failed to adequately explain the collection process, answer questions and alleviate employee concerns. As the Commissioner stated: “Employers …have a heightened responsibility to be open and transparent about their practices as they relate to employees…”
Calgary – 10:00 MST
No comments