Under the GDPR, biometric data such as fingerprints falls within the new category of ‘special category of data’ and is what we used to call ‘sensitive personal data’ in old money.
If you use a system to record that data, when employees clock-in and out for example, to ensure they do not clock-in or out on behalf of other people, you’re going to be subject to the more stringent requirements that are necessary to be able to process such special category data. Typically, explicit consent is the mechanism that we’ve historically used to create the right pathway through the legislation and enable us to use sensitive personal data, but the Information Commissioners Code of Practice on consent suggests that it is now not viewed as genuine in the employee/employer relationship. This leaves the employer having to find an alternative route through. This could be that it is necessary for the purposes of carrying out legal obligations such as compliance with Working Time Regulations 1998 for example.
However, it is not as straight forward as simply saying ‘that’s our pathway through’. You need to establish what your basis is for processing the biometric data, then you have to ask yourself whether the processing is necessary for the purposes of monitoring compliance with the Working Time Regulations. To put it another way, could compliance with the Working Time Regulations take place effectively in an alternative way such as the use of fobs or microchipped ID cards? Clearly the answer to that will be yes.
You might argue that fingerprint scanning is the only way to ensure that a particular individual is clocking-in as themselves rather than somebody else doing it, which was always the problem with more old-fashioned systems. Using a fingerprint is intrusive or potentially intrusive so you’re going to be required to carry out a data impact assessment, which the ICO has just published more information on. Effectively, you have to ask whether the benefits justify the adverse impact that the monitoring will have. For example, if you had evidence that a previous system had been abused, that would obviously be useful evidence in your favour. You would need to show that you had weighed the risks to the employees against the clear business benefits of doing the fingerprint testing.
If you’re going to rely on this pathway through you’re going to need to keep a processing record, so setting out which condition you are relying on, how you have safeguarded the data, including an appropriate policy document that you have issued to staff explaining this to them as part of the general requirements to be transparent and accountable.
If you would like any further assistance with issues such as these, please email us on firstname.lastname@example.org.