Date icon04 January 2021

Facial Recognition Employee Consent

Our physical attributes are the most impervious form of identity verification there is. Virtually impossible to replicate and completely unique, physical features such as eyes, faces and fingerprints make ideal ID credentials.

Biometric time and attendance and/or access control readers are built around this exact principle. These readers scan and read an eye, a face or a fingerprint in seconds, to record attendance or admit access for those registered in the solution’s database.

Biometric readers are therefore well-suited to personnel management within many businesses and organisations, in regard to both time and attendance tracking and premises security. Data gathered by biometric readers can be used to create operational efficiencies across several departments, including HR and payroll.

Yet, any organisation making use of biometric readers must ensure they are doing so in line with current data privacy laws, which involves gaining employee consent and ensuring there is a solid basis for introducing the system, before it’s implemented. Here’s what you need to know.

How biometric identity technology works

Unlike an ID card, password or PIN code, biometric data cannot be lost, stolen, forgotten or shared with others without authorisation. A biometric reader takes a scan of a physical characteristic – a fingerprint, for example – which is then processed to identify the unique data points within it, the positions of specific ridge points within the print that make every fingerprint one-of-a-kind. This is known as the biometric template.

It’s this template that the system will then look for in its database, in order to determine whether or not the fingerprint being scanned belongs to a recognised and approved individual. It’s worth noting that a biometric system only stores these biometric templates, not full images of fingerprints, and it’s impossible to duplicate a print based on a template alone.

How biometric data is classified under GDPR   

Biometric data is of course, personal to an individual, which means it is subject to the General Data Protection Regulation (GDPR) and its governance of the processing of personal information.

Under GDPR, biometric data is known as ‘special category data’ whenever it is processed to identify an individual. As the Information Commissioner’s Office (ICO) states, “if you use biometrics to learn something about an individual, authenticate their identity, control their access, make a decision about them, or treat them differently in any way, you need to comply with Article 9”.

Article 9 includes the specific conditions for processing special category data; any organisation looking to implement biometric time and attendance and/or access control must meet at least one of these. You can read the full list here, but we’ve also summarised some of the most relevant conditions below:

  • Biometric processing is essential for reasons of public interest
  • Biometric processing is critical in protecting the vital interests of the data subjects (employees)
  • Biometric processing is necessary as part of the provision of health or social care (with a basis in law)
  • Biometric processing is necessary for the purposes of carrying out obligations and exercising the specific rights of the data controller (employer), or of the data subjects, in the fields of employment, social security and social protection law
  • The data subjects have given explicit consent to biometric processing

As this list shows, many of the conditions for processing biometric data relate to the type of work an organisation carries out and whether this provides a justification for processing. Conversely, gaining employee consent negates the need for an organisation to fit certain parameters, making it perhaps the most straightforward way to implement GDPR-compliant biometric technology.

Do I need employee consent to implement biometric time and attendance?

The short answer is perhaps – it depends on whether there is another condition that your organisation meets under GDPR Article 9 on the processing of special category data. That said, we would strongly recommend gaining the consent of your employees before implementing biometric time and attendance regardless; not only will it ensure your organisation is GDPR-compliant, it will also help them understand why you are implementing the technology and what exactly is involved. Transparency is key and will enable your team to voice any concerns they have so that you can address them.

To be fully compliant, employee consent must be explicitly given from each individual; you cannot simply opt everyone in. At the same time, you must also offer your employees the option to withdraw their consent at any point. This is where a pre-implementation employee consultation period on biometric data is so valuable – you can explain your reasons for considering the technology, outline how it works and answer any questions before seeking consent from your team members. For example, knowing that a time and attendance and/or access control solution does not store actual fingerprints may go a long way to alleviating any personal data concerns amongst your workforce.

What’s more, if any concerns persist, there are alternative solutions you can consider instead. We provide biometric readers that also come with a built-in ID card reader, which gives team members a way to use the system without submitting biometric data.

Let us help you implement GDPR-compliant biometric technology

Adding biometric time and attendance and/or access control to an operation requires a good deal of forethought, but the benefits are more than worth it for the right organisation. With decades of experience and expertise in the industry, Touchstar can guide you through the design and installation of your system from start to finish, ensuring your solution is effective, scalable and fully compliant. Get in touch with us today to find out more.      



Facial Recognition Blog Author Lynden Jones

Lynden joined Touchstar ATC (formally Feedback Data) in a sales role for Access Control in 2010.  Prior to joining the company, Lynden held both Production and Account Manager roles, gaining wide technical and commercial experience within the electronics market.  In 2013 Lynden was promoted to Sales Director and in 2017 he took overall responsibility of the business as Managing Director.

As well as running Touchstar ATC, Lynden still remains extremely active in the sales and key account management aspects of the business. When not involved in the business, Lynden is a keen performance car enthusiast.