The growth and progress in new forms of technology introduce even more challenges for both employers and employees. The Internet has globalised the business world. Companies engage in numerous transactions and communications through technology every second of the day. It is well recognised that information technology does not adhere to the geographical boundaries that are normally associated with physical location, and by its very nature there are particular risks associated with collection, storage and deletion of such data.
The collection of employee biometric data (scan of fingerprint to clock in and out, to confirm identity, and used as a security measure) is becoming increasingly commonplace. The collection of biometric data includes not only fingerprint, but voiceprint, or the scan of a person’s retina, iris, face or hand. It is easy to see how some employers could view the introduction of electronic scanning as helpful to eliminate common forms of timekeeping fraud and to produce a more streamlined operation.
The main problem with the collection of biometric data is the invariable nature of biometric identifiers. Personal identifiable information such as driver’s licences and passport numbers can be changed, whereas biometrics (fingerprints, DNA, eye scans) are ‘biologically unique’ and unchangeable. There are also concerns that the collection of such biometric information is more intrusive on an employee’s privacy. This raises the important issue of employers needing to have robust data protection policies in place around the collection, retention and deletion of biometric data if they wish to introduce such practices.
As part of this, employers will need to consult with employees and obtain their consent before introducing the collection of biometric data. The Employment Court considered this issue in OCS Limited v Service and Food Workers Union Nga RingaTota Inc & Anor WN WC 15/06 31 August 2006. The Court provided some helpful guidance on the legality of employers using biometric technology and found:
- the technology needs to be compatible with the contractual obligations of the parties;
- there needs to be a balance between the need for the technology and the level of personal intrusiveness involved for the individual concerned;
- employers have the right to introduce different systems of timekeeping technology subject to reasonable consideration of valid concerns raised by the union and/or employees; and
- the employer must take reasonable steps to inform employees of the new measures and to obtain their consent.
So what does this mean for employers?
If you are considering using a practice that involves the use of biometrics, or any other potentially sensitive information, you will need to consider privacy principles and the helpful guidance provided by the Employment Court. If you have already adopted such a practice, then check to ensure that you are compliant with the Privacy Act’s principles on collection, storage and deletion, and review your current level of transparency with your employees.