Biometrics
Biometric information is generally a series of numbers created by a software program based on sources from your body such as fingerprints, voiceprints, iris scans, hand geometry or DNA. Biometric data can also be created from personal habits such as keystroke tapping rhythms, mouse clicks, motor skills. Biometric information is used to identify people. It is considered a highly secure method of identifying people because the data is specific to one individual.
There are very few privacy law cases so far that involve biometric information in the workplace, so we do not have a lot of cases to give us a specific set of rules. But the following general requirements of privacy law for the collection, use and disclosure of personal information do give us the basic standards:
- For organizations in the private sector, the collection of employees’ biometric information must be “reasonable and appropriate in the circumstances”. For government bodies in BC the collection of such information must be expressly authorized under a BC law, collected for law enforcement purposes or must relate directly to and be necessary for an operating program or activity of the public body. For federal government institutions the collection must be directly related to an operating program or activity of the institution;
- Only the personal information necessary for the purpose should be collected, not more;
- Once collected, the employer is required to protect the personal information and keep it secure from access, use or disclosure that is unauthorized; and
- Individuals have a right to request access to their personal information and to request correction of their personal information.
In every case, the collection, use and disclosure of biometric information by a non-governmental employer must be reasonable and appropriate in the circumstances. In determining what is reasonable and appropriate in the circumstances, the following factors must be considered. (1)
- The degree of sensitivity of the biometric information;
- How well the employer will protect the information;
- Whether the business objectives of the employer are legitimate and bona fide, and whether the biometric information is effective in meeting those objectives;
- Whether there are alternative methods of achieving the same level of security at comparable cost and with comparable operational benefits; and
- The proportionality of the loss of privacy to the employees should be weighed against the employer’s costs and operational benefits, bearing in mind how well the employer protects the information.
Sometimes commissioners and arbitrators have considered how much sensitive information is revealed about the person through the biometric. So for example, when an employer decided to use a voiceprint to authenticate employees logging on to a phone system as part of their work, the Privacy Commissioner of Canada said that the use of a voiceprint was legal because the voiceprint could not be used for any other purpose, could not be used to spy on employees and because the voiceprint did not reveal much information about the employee. (2)
An arbitrator reached a similar conclusion in a case about fingerprint biometrics. The arbitrator found that the fingerprint scan was not privacy invasive because it took less than a minute and did not involve any part of the body that is considered private. It took only half a fingerprint and immediately converted it into a series of numbers which was virtually useless for other purposes, and it provided no personal information about the employee. (3)
It is early days for legal decisions about the use of biometrics in the workplace. We can expect the law to evolve in this area.
Does Your Employer Have to Get Your Consent?
Under PIPA and FOIPPA, and in a unionized context, your consent is probably unnecessary if:
- the biometric information is reasonably required by the employer for legitimate business purposes; and
- the employer is careful to ensure that the infringement on your privacy is minimal in relation to the employer’s legitimate business need.
Under PIPEDA, an employer may need to get your consent to collect your personal information for biometrics purposes.
When asking for your consent the employer has a duty to tell you what the consequences would be of not consenting.
Does This Mean That the Employer Can Impose Discipline If You Refuse to Consent?
We don’t know for sure whether an employer is allowed to make progressive discipline a consequence of refusing to consent. It seems that the threat of discipline or of dismissal for refusing to consent might make the consent given by the employee invalid. But one of the general privacy rules is that employers are required to tell employees about the consequences of refusing or withdrawing consent to the collection of personal information. The difference between a threat of discipline or dismissal and informing the employee that a consequence might be discipline or dismissal has not yet been clearly defined by a court or a privacy commissioner. (4)
So, we can say that depending on the circumstances (including whether the employer is required by law or a contract to use surveillance or biometric data for security purposes) consent given to an employer may be valid and acceptable even if the consequences of refusal include dismissal.
Until the issue is determined in a court (or new legislation is enacted), keep in mind that so long as the employer’s use of biometric information is reasonable and appropriate in the circumstances, it might be allowed to impose progressive discipline up to and including dismissal if you refuse to consent.
What To Do If You Feel Forced to Consent
If you believe that you are being required to consent and you do not want to consent but feel you have no choice, you could take the following steps:
- First, look at your employer’s privacy policy and any policy that applies to the biometric information, if the employer has one;
- If you are comfortable doing so, you could ask the privacy officer about the collection, use and disclosure of biometric information;
- If you are unionized, seek assistance from your union representative and your union;
- You may also lodge a formal complaint with the relevant privacy commissioner;
You might also consult an employment lawyer for legal advice.
For detailed information about how biometric systems generally work, see the backgrounder published by the Canadian Internet Policy and Public Interest Clinic (CIPPIC).
(3) Re Agropur, Division Natrel and Teamsters Local Union No. 647 (Slotnick), 2008 CanLii 66624 (ON L.A.). For those readers interested, this arbitrator looked at a line of relevant biometrics cases decided under labour law not privacy law.