- What is biometric data?
- When might we use biometric data for time and attendance control and monitoring?
- What are access controls?
- How do we determine if using biometric data for access control is necessary and proportionate?
- What lawful basis and condition for processing can we rely on when using biometric data?
- Do we need to carry out a data protection impact assessment (DPIA)?
- What about accuracy, fairness and rights relating to automated decision-making?
- What do we need to tell workers about biometric data and access controls?
- Can workers object to the use of biometric data for access control?
- What about the security of biometric data?
The UK GDPR defines biometric data as:
“Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person such as facial images or dactyloscopic [fingerprint] data.”
Biometric data is personal information that’s unique to someone. It relates to their behaviour or biology, and is obtained using technology.
Biometric data includes:
- iris scanning;
- retinal analysis;
- facial recognition templates; and
- voice recognition templates.
Biometric data is unique in data protection law as its status can change depending on the purpose you use it for. When your purpose is unique identification (eg access control or timekeeping) further safeguards are required. If you use biometric data to identify a specific person then it becomes special category data.
Controlling and monitoring access for security or time recording is nothing new. Using swipe cards, PIN codes and passwords to control workers’ access to buildings and IT systems is common.
However, the technologies and systems that are used to identify workers and enable access have developed, with biometric data increasingly part of the picture. Processing biometric data (eg using a worker’s fingerprint) can be a convenient way to give workers access to their workplace. However, it does pose a risk to workers’ data protection rights and freedoms. It can also undermine trust between workers and employers. Therefore you should consider whether there are any alternatives to using biometric data, in order to achieve your desired objectives.
The nature of biometric data means that it is more closely identified with a specific person. As such, the risks of harm in the event of inaccuracies or a security breach are much greater - as it is more difficult to rectify if inaccurate, and you cannot replace it in the event of a breach (unlike, for example, being able to reset a password). Therefore, you must consider whether you need extra security measures when collecting, using and storing biometric data.
Access controls are for unique identification, where you process the information to identify specific people and then grant them access to specific resources during work time. This applies to both physical resources (eg access to a specific work area) and electronic resources (eg access to a specific piece of software).
You may also use information from access controls to record working hours.
- For further information see our guidance on biometric data.
Start by following the steps you would take when you are deciding whether to introduce any other new monitoring technology, as set out above.
You should document your reasons for choosing to rely on biometric data, including any consideration of other less intrusive means and why you think they are inadequate. Remember, biometric methods of identification contain much larger amounts of sensitive information than methods such as swipe cards. You should be clear about your purpose and why using biometric data is necessary. If a reasonable alternative option to using biometric data is possible, you should be able to justify why you don’t use this method. You must document all of this in your DPIA.
Your lawful basis depends on your purpose for using biometric data to identify workers and the reason for your access control measures. (See the section on lawful bases.)
If you use biometric data to uniquely identify someone, it is classed as special category data. So, if you are using biometric data for access control to identify workers, you must also identify a condition for processing. (See the section What if our monitoring involves special category data?)
If you are relying on biometric data for workspace access, you should provide an alternative for those who do not want to use biometric access controls, such as swipe cards or pin numbers. You should not disadvantage workers who choose to use an alternative method. It is likely to be very hard to justify using biometric data for access control without providing an alternative for those who wish to opt out.
If you provide an alternative method for those who wish to opt out of the use of biometric data, and your workers are not disadvantaged for opting out, consent is the most likely lawful basis to apply to the use of biometric data for access control.
However, if there is no non-biometric alternative, then the consent basis will not be appropriate.
Remember that there are other lawful bases that you may be able to rely upon, if you can justify their use. Whichever basis and condition for processing you decide to use, you must document your reasons carefully in your DPIA.
An employer introduces an electronic fingerprint scanning system for time and access control. Workers scan their fingerprint in order to access their workplace. The employer also uses the personal information for payroll purposes. Having carefully considered the available options during the DPIA process, the employer decides consent is the most appropriate lawful basis for their processing. This system uses biometric data to identify individual workers so the employer needs a valid condition for processing special category data in addition to a lawful basis.
The employer offers a swipe card option with no detriment to workers who do not wish to have their fingerprints scanned. This means the employer can consider relying on the explicit consent condition for processing the special category biometric data. This is because workers can give their consent freely and have the option to use a swipe card if they change their mind.
An employer rolls out new laptops to all workers. The devices have the option of facial recognition sign in. Staff who have tested the system find the facial recognition feature very useful. The employer decides to use consent as their lawful basis.
Workers who agree to using facial recognition provide explicit consent on the understanding that the image created is only held on the device provided to them and is not stored elsewhere or used for any other purpose than device access. Workers who do not wish to use facial recognition to log on may use a password or a PIN instead. The facial recognition process does not initiate on the laptops of workers who have not given consent.
Yes, you must carry out a DPIA whenever you intend to process biometric data to uniquely identify a worker. This is because processing biometric data is considered high risk. You must complete your DPIA before starting the processing. This will assist you in assessing and documenting risk and putting measures in place to reduce any identified risks. The DPIA process also allows you to discuss the proposed use of biometrics with workers and their representatives before you introduce it.
Any inaccuracies in biometric data that allow workers to access work or to pay them correctly are likely to have a detrimental impact on workers. When deciding whether to implement a new system, you should think carefully about the accuracy of the system and its ability to correctly identify people. As a data controller, it is your responsibility to ensure personal information stored on your system is accurate regardless of whether you have engaged another organisation to provide the system. You should make sure systems are in place to quickly correct any inaccurate information so it does not negatively impact workers.
There is a risk that facial recognition works with less precision for some demographic groups. To comply with the fairness principle, you must assess and mitigate the bias in your system. If you have engaged another organisation to provide the system, you should check it is suitable for the groups and people whose information it will capture. If the system you use results in processing which causes bias or discrimination, you are likely to breach the fairness principle.
Accuracy is linked to workers’ rights about automated decision-making and profiling. If monitoring workers relies on authentication by solely automated decision-making, there is a risk that workers are incorrectly identified or not identified at all. You must ensure that manual reviews are therefore available if an automatic process has resulted in a possible access denial. You must give workers the option to ask for a review if they are unhappy with a decision made by solely automated processing. You should quickly identify issues with workers accessing systems or buildings and give back access to workers as soon as possible. You should not disadvantage workers who request manual reviews.
Access to a building is controlled by facial recognition. A worker with full access permissions stands in front of the camera but the door fails to open as the system has not recognised them. This means the worker cannot start work.
To mitigate this risk, the employer has also installed an intercom so the worker can quickly call a supervisor who can grant them entry and manually enter the time they arrived into the system.
If an alternative had not been in place, the worker could potentially have suffered negative consequences, such as loss of pay or disciplinary action. The intervention by the supervisor means that the worker experiences a minor inconvenience rather than a significant detriment as a result of the facial recognition access control system.
You must tell workers:
- how the system works;
- what personal information you are collecting;
- how you will use their information; and
- the nature and purposes of the monitoring.
You must inform your workers through your privacy information. You could also provide information on posters or during staff meetings. (See the section What must we tell our workers about our monitoring?)
A worker can object to the use of biometric data for time and attendance related purposes, if the lawful basis you are relying on is:
- public task (for the performance of a task carried out in the public interest);
- public task (for the exercise of official authority vested in you); or
- legitimate interests.
If you have used consent as your lawful basis, workers can withdraw their consent. If they do this, you should provide them with an alternative method of access, and make sure that this doesn’t cause them detriment.
You must have security measures in place which are appropriate to the risks of unauthorised access or disclosure of your workers’ biometric data. Unlike a password or a phone number, biometric data is more permanent and can’t be changed, in most cases. This makes the consequence of a breach more serious. You should consider whether you need to store a copy of the underlying image or whether it is sufficient to store the biometric template. In either case, you should consider security measures (eg encryption) and organisational measures (eg access restrictions).
If you are storing biometric templates, you must ensure that:
- you don’t hold them for longer than is necessary;
- they remain accurate and you refresh them as often as considered necessary;
- you store them in a way which does not allow for reverse engineering into the original image or identity (ie the biometric templates are encrypted); and
- you don’t store the biometric templates alongside other associated images or lists.
□ We have documented our evidence base for relying on biometric data, including our consideration of why we are not using less intrusive means.
□ We have identified a lawful basis and a special category condition where necessary.
□ We have carried out a DPIA.
□ We have discussed the proposed monitoring with workers during our DPIA.
□ Where consent is relied on, we have put in place alternative methods for authentication or identification for workers who have not given their consent to the processing of their personal information.
□ We have made manual reviews available for any workers having issues with access denial due to automatic errors.
□ We have considered whether further security measures are required when processing biometric data.
□ We have considered accuracy and fairness. We have mitigated any identified risks.
□ We have considered the rights of individuals relating to automated decision-making.
□ We have informed workers about the use of their biometric data for access control.
□ We have considered workers’ rights to object to the use of biometric data for access control.
□ We have ensured there are appropriate organisational and technological measures to protect the security of any biometric data we process.
You can also view and print off this checklist and all the checklists of this guidance on our checklists page.