Legal ease: The risks of using biometric technology in the workplace

Employers could face legal claims if biometric data is leaked; these could be high-value claims

Allowing employees access to buildings and data by scanning their hand, face or eyes can be seamless and secure. But HR must be aware of the legal and regulatory risks.

When Amazon launched its palm-scanning technology service, Amazon One Enterprise, in November, it was described as a fast, convenient and contactless experience for employees to access physical locations and digital assets.

These benefits have led leaders of more and more workplaces to consider using biometric technology in their offices, and cloud systems to enhance security and improve efficiency.

Read more: ICO bans leisure centres from using biometric data to monitor employees

Fingerprints, palm, face or eye scans can help simplify and guard access to physical workplaces, online company networks and sensitive data. For example, employers can do away with employees having to remember or create guessable passwords, which puts the company’s online systems at risk.

However, HR departments must be alive to the legal risks of using biometric technology. There must be justifiable grounds for use of biometric data in the workplace.

Under the Data Protection Act 2018, biometric data is defined as special category data, meaning there is a higher level of protection required than for say photos and email addresses, which are classed as personal data. Businesses could face a fine of up to 4% of global annual turnover or £18 million, whichever is greater, from the UK Information Commissioner’s Office (ICO) if they fall foul of the rules, plus potentially significant damage to their reputations.

The impact of processing, and the security involved in holding this special category data, must be fully explored to ensure you are using it lawfully. Without explicit consent, special category data (which includes biometric data) is considerably harder to justify processing, compared to standard personal data.

A detailed, properly documented data protection impact assessment will very likely be needed before your business brings biometric data into use. You will also need to add to your privacy notice – which should be available to read at all times by an employee – and explain why you need employees’ biometric data, how you will process it, how you’re adhering to the law and who employees should go to with any queries or concerns.

Further, implement enhanced cyber security measures such as encryption to minimise the risk of sensitive personal data being hacked. Employers could face legal claims from employees if biometric data is leaked, and these could be high-value claims, especially if workplace biometric data has been used to hack a personal bank account.

Recent cases across the EU have highlighted the importance of assessing whether using biometric technology at work is proportionate. Using biometric data is invasive, and it must be explored whether the same level of security could be achieved by other means.

For example, a Dutch court ruled in 2019 that it was disproportionate for an employee to need their fingerprint to use a cash register. The Mansfield shoe company did not look into other forms of security which would have helped protect cash registers, such as access passes, codes, CCTV and safety deposit boxes.

Biometric technology opens up a world of possibilities for employers, by potentially driving greater value and efficiency in their operations. However, without tight controls, and adherence to data protection laws, businesses could face legal repercussions.

It is worth HR departments consulting the ICO website to ensure they are following regulations, and their solicitors to ensure that they are operating within the law.

Chris Cook is partner and head of employment and data protection at SA Law


This article was published in the March/April 2024 edition of HR magazine.

Subscribe today to have our latest articles delivered to your desk.