Is fingerprint technology against GDPR?

Napthens - July 5th 2019

Using biometric personal data in the work place

Clients often want advice on how to navigate GDPR. One question that comes up is the use of fingerprint recognition technology in door entry systems - does GDPR permit this and does it impose any requirements on businesses?

The short answer to this question is that GDPR does not stop you implementing such systems. However, you do need to consider and document some important issues first to ensure the processing of personal data is lawful.

What is biometric data and when can it be used?

The definition of biometric data in GDPR includes “dactyloscopic data” (fingerprint data). When biometric data is used to identify an individual, it attracts special protection because it falls into a “special category” of personal data. Some commentators argue that an algorithm which allows software to “recognise” a fingerprint by the use of a number of reference points is not personal data at all. This is something you could consider with the technology provider when conducting a data protection impact assessment – see below.

You can only process “special category” personal data if you meet one of the conditions set out in Article 9 of the GDPR (you still have to satisfy one of the more familiar conditions set out in Article 6 GDPR -  consent, necessary to perform a contract and legitimate interests etc.). There are 10 conditions in Article 9 which legitimise the processing of “special category” personal data.  The most relevant here is “explicit consent”. This means that it is unlikely you can implement a fingerprint recognition system without seeking the consent of the employees whose fingerprints you will be capturing.

What is explicit consent?

Explicit consent is not defined in GDPR. However, “consent” must be:

  • “Freely given, specific and informed”
  • “by a clear affirmative action”
  • able to be demonstrated by the data controller
  • clearly distinguishable from other matters, in an intelligible and easily accessible form using clear and plain language

It is important to note that consent can be withdrawn at any time.

Recent High Profile Example

Last month the ICO issued an enforcement notice against HMRC ordering it to delete all biometric data held by it and its suppliers following implementation of a voice recognition system or face a potential fine of the higher of 20 million euros or 4% of worldwide turnover.

When the ICO looked at how HMRC had implemented the technology, it found that whilst HMRC did provide some transparency information and ask callers to confirm that they would use their voice as their password, it did not explain to customers how they could decline to participate in the Voice ID system. Also there was a significant imbalance of power between the parties – HMRC on the one hand and tax payers/ recipients of benefits on the other, which made it harder to obtain consent. The ICO found that consent had not been obtained and HMRC had no lawful basis for the processing of this personal data. The ICO identified having an appropriate lawful basis as an issue of “central importance” to data protection law the lack of which warranted enforcement from the ICO even if there was little or no damage done to the data subject.

This issue affected 7 million HMRC users, the scale of which is unlikely to be replicated in the employment context. Nevertheless, the case provides useful guidance for the approach the ICO may take in relation to the processing of personal data, particularly where there is an imbalance in the power of the parties (as there is in the employer/ employee relationship).

The ICO issued an enforcement notice to HMRC rather than a fine. However, the practicalities of putting things right after a system has been implemented mean that complying with an enforcement notice is not always straightforward.

Obtaining consent in the employment relationship

In order to implement a fingerprint recognition system lawfully, it seems employees have to be given a real choice – whether to participate in the system or not – without being subjected to any detriment if they decline. For that choice to be informed, communication and transparency about the processing is required. Whilst a system might be “sold” to employees and their consent obtained because it is more convenient/ enhances security it cannot be imposed wholesale and withdrawals of consent would have to be honoured.

Practically, simply changing the system and then asking employees to sign to say they consent to the use of fingerprint recognition technology to obtain access to buildings or restricted areas is unlikely to cut it.

Data Protection Impact Assessment (DPIA)

If you are thinking of implementing fingerprint recognition technology in the workplace you should consider carrying out a DPIA. For a full analysis of when a DPIA is required and for links to more information about what is required click here.

A DPIA is a way of documenting your approach to data protection in relation to new technologies or processing to make sure you have identified and addressed risks to “the rights and freedoms of individuals”. In a DPIA you set out the details of the processing, its lawful basis, the details of any relevant consent process, how you will honour data subject rights, the role of third parties and the details of any consultation with employees.

With this information you will be well placed to make an informed decision about whether to implement such a system. Practically, if you have consulted with employees, taken note of and acted upon their concerns you are less likely to be faced with any complaint.

We are here to help

For assistance with any queries on GDPR, including carrying out DPIAs, please contact a member of the commercial team