Use of Fingerprints for Assiduity Control at the Workplace ' Provision of July 21, 2005
doc. web n. 1166892
doc. web n. 1150679
Use of Fingerprints for Assiduity Control at the Workplace – Provision of July 21, 2005
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having considered the request for prior checking submitted by Landini S.p.A. pursuant to Section 17 of the data protection Code (legislative decree no. 196/2003) concerning the processing of biometric personal data for the purpose of controlling employee assiduity at the workplace;
Having regard to the information gathered following the investigations started pursuant to Section 154(1), letter a), of the aforementioned Code;
Having regard to the considerations made by the Secretary General pursuant to Section 15 of the Garante's Regulations no. 1/2000;
Acting on the report submitted by Mr. Mauro Paissan;
1. Processing of Personal Biometric Data in the Employment Context to Control Assiduity
Landini S.p.A., a manufacturer of fibre-cement and metal coverings with about three hundred employees, lodged a request for prior checking with the Garante in pursuance of Section 17 of the Code; the request concerns the processing of biometric data related to the said employees with a view to controlling their assiduity at work and thereby allocating standard and overtime pay.
Operation of the above system would require the preliminary collection of biometric data (so-called enrolment phase), whereby the company would turn the image of part of the employee's fingerprint into a digital code using electronic devices equipped with both fingerprint readers and ad-hoc software; the said code would be assigned to each employee after being stored in the company's information system, without being encrypted or processed in any similar manner. The digital codes would be used as benchmarks for the digital codes obtained after reading (parts of) the employees' fingerprints whenever they leave and/or enter their workplace; such reading would be performed via readers located in several premises within the company, which would be connected with the company's information system.
The processing of biometric data was said to only be aimed at the purposes described above. Based on the allegations made by the company-data controller as well as by the system manufacturer, fingerprints would not be stored for longer than necessary to complete the enrolment phase. In the company's view, it would be impossible to trace the fingerprints back to the respective owners starting from the digital codes generated from them.
The processing of biometric data was said to be justified by the need to prevent certain types of (unlawful) conduct by some employees, mainly consisting in the exchange of their respective badges, as well as loss of the magnetic cards that are currently used. The processing of biometric data was alleged to allow overcoming these problems and ensure a high degree of certainty in employee identification.
Based on the statements made, measures would be adopted to allow employees that either are unable to take part in the enrolment phase because of their physical features or are unwilling to consent to the processing, to certify their presence at the workplace by signing in an assiduity register within the premises of the personnel department and being thereby subjected to "visual" recognition, or else by means of other "conventional mechanisms".
2. Processing of Biometric Data and Applicability of Personal Data Protection Legislation
The case submitted to the Garante's prior checking entails the processing of personal data.
The biometric data to be collected, i.e. part of the data subject's fingerprint, is information resulting from the physical features of individuals that are to be identified uniquely by means of a reference template. The latter consists in a set of digital values that are derived mathematically from the individual features referred to above and are intended to allow identification of an individual via the comparison between the numerical code derived at each access and the initial template.
Fingerprints (see the Garante's decision of November 19, 1999 as published in its Bulletin no. 10, p. 68) – regardless of the fact that only part of them are collected and this is only aimed to complete the enrolment phase – as well as the numerical codes subsequently used for comparison purposes are personal data insofar as they can be related to individual employees (see Section 4(1), letter b), of the data protection Code); hence, the provisions laid down in the Code apply both to the enrolment phase and to any comparison/matching carried out thereafter, including the creation of log files on employee assiduity.
3. Data Quality, Security Measures, and Information on the Processing of Biometric Data
As for data quality principles, the inquiries carried out have highlighted some questionable features in respect of the appropriate operation of the system to be deployed.
To date, there is no evidence that the requirements are met to ensure a high degree of reliability of the system in question; indeed, a testing phase has been scheduled to probe its reliability. Additionally, the company has not been able so far to specify accuracy of the system as based on technical benchmarks for pinpointing both "false negatives" and "false positives". However, systems such as the one in question should ensure the highest possible level of data reliability and integrity, also on the basis of certificates and/or attestations issued in respect of the various devices possibly following the assessment carried out by independent technical boards.
Furthermore, the information provided does not allow establishing whether the envisaged security measures are adequate in order to protect the electronic communications network on which the biometric data are transmitted by the individual readers to the centralised data acquisition system. In this connection, it would be appropriate for the data controller to avail itself, for instance, of encryption keys for the biometric data - following the guidance provided at European level (see, for instance, the Working Document on Biometrics adopted by the Article 29 Working Party on August 1, 2003, Point 3.6, available at http://www.europa.eu.int/...).
The information notice is also inadequate by having regard to the planned processing; it has been already mentioned that – pursuant to the statements rendered – employees are alleged to be free to decide whether to participate in the assiduity control system based on biometric data, alternative measures being also available to any employees that are unable to have their assiduity recorded via the biometrics-based system because of physical reasons.
However, the above statements are not confirmed by the text of the information notice to be released to data subjects, which says that providing the data – including biometric data, as expressly referred to under the item "additional specifications" – is compulsory. This is relevant partly because the system could only work – as regards the enrolment phase plus the employees' access to the workplace – with the employees' active cooperation, who should be willing to allow parts of their bodies to undergo the operations required for biometric data acquisition in the absence of legislation requiring them to do so as well as without prejudice to the possible need for consulting with trade union representatives.
Moreover, no reference is made in the information notice to alternative assiduity control mechanisms, which is in breach of Section 13 of the DP Code – whereby it is necessary that the information notices to be provided to data subjects refer clearly to all the processing mechanisms applied as well as to the categories of personal data used for each of them.
4. Biometric Data and Personal Data Protection Principles: Purpose Specification, Data Minimisation, and Relevance
Whilst the above considerations point to several questionable items in respect of the data acquisition system at issue, the lawfulness of the system is to be also assessed by having regard to other features related to compliance with data minimisation, proportionality, purpose specification and fairness principles as well as with data quality requirements (see Sections 3 and 11 of the DP Code, and Article 6 of EC Directive 95/46).
In this connection, there is little doubt that employers are lawfully empowered to supervise performance at work (pursuant to Section 2094 of the Civil Code) by verifying employees' assiduity and compliance with working hours also in order to compute their wages (e.g. by means of personal badges); however, it has not been shown that the processing of biometric data in question is in line with data minimisation and proportionality principles with particular regard to the use of fingerprints.
Using such data in the workplace may be justified in specific cases as related to the purposes and context of their processing – e.g. in connection with accessing certain premises in a company that require especially stringent security measures either because of specific circumstances or on account of the activities performed in those areas; alternatively, their use may be justified in order to ensure security of the processing of personal data (see Annex B) to the DP Code).
Conversely, the blanket use of these data may not be considered lawful; as regards fingerprints, this is compounded by the need to prevent their misuse and/or inappropriate use.
If one considers that suitable alternative mechanisms can be used to establish personal identity in an equally stringent manner that is less of a problem to the dignity of the employees concerned (see Section 2 of the Code), and that such mechanisms have not been referred to as ineffective in the case at issue, the records on file do not allow considering it lawful to acquire fingerprints for the purposes alleged by the company, i.e. calculating working hours; in particular, and contrary to the representations made by the company, fingerprints are actually associated with the respective data subjects.
Apart from standard and sample checks on employee assiduity at day's end and/or at the workplace, which can be performed quite easily, it has not been shown that measures requiring no processing of biometric data (pursuant to Section 3 of the DP Code) are ineffective in order to significantly limit the risk of unauthorised practices.
To verify compliance with working hours and simultaneously prevent unauthorised conduct by employees, the data controller can avail itself of other, less privacy-intrusive systems that do not impinge on personal freedom and do not involve an employee's body – which are both constituents of personal dignity, safeguarded by personal data protection provisions (see Section 2 of the DP Code).
The processing at issue is to be regarded as disproportionate also in the light of the envisaged technical arrangements – i.e. the centralised storage of the identification codes derived from the analysis of biometric data; again, less invasive technological approaches can be undoubtedly implemented. Bearing in mind the principles set out in Section 3 of the DP Code, one should argue that – providing the use of biometric information is permitted – it is preferable to store the identification code on a medium that is in the data subject's exclusive possession after completing the enrolment phase rather than to record the code at centralised level in the company's information system. The latter approach may actually be more prejudicial to individual rights if the security measures are breached, unauthorised entities access the data, or the stored information is misused – whether or not by third parties.
In line with Community law – whereby the processing of data entailing specific risks to data subjects' rights and fundamental freedoms, such as the one in question, is to be allowed only following a prior checking aimed at establishing that the processing is lawful and fair as well as laying down measures and instructions to safeguard data subjects (see Article 20 of EC Directive 95/46, and Section 17 of the DP Code) – it is hereby concluded that the prerequisites envisaged by the law to process data relating to fingerprints are not met in the case at issue.
Therefore, the processing referred to in the submission is to be regarded as unlawful on the grounds described heretofore.
Based on the above premises, the Garante:
Under the terms and for the purposes of Sections 3, 11, 17 and 154(1), letter d), of the Data Protection Code, declares that the processing Landini S.p.A. plan to carry out is unlawful on the grounds referred to in the premises, and hereby prohibits the said processing if carried out for the purposes and in the manner described therein.
Done at Rome, this 21st day of July 2005
THE SECRETARY GENERAL