Biometrics in the workplace: Employee privacy considerations
Biometrics are biological and behavioral characteristics that can be used to identify and authenticate a person’s identity. There are three different types of biometrics: biological biometrics use traits at a genetic and molecular level, morphological biometrics involve the structure of the body, and behavioral biometrics are based on patterns unique to each person.
Examples of biometric information
- Fingerprints
- Facial recognition
- DNA
- Iris recognition
- Retina scan
- Voice matching
- Hand, ear, and finger geometry
- Gait analysis
- Keystroke dynamics
How employers are using biometrics
Biometrics are increasingly being used in the workplace for employee monitoring and workplace security purposes. Attendance tracking can be enhanced by biometric time clocks, which verify an employee’s identity when clocking in and out. This can reduce wage theft and provide accurate time records that can be used in the event of a wage hour dispute. Physical and digital security can be enhanced by biometric access control systems. Biometric locks prevent access to restricted areas, enabling the protection of sensitive company information and valuable property.
Biometric technology can also provide access control for digital systems, networks, and data, protecting digital assets and confidential information. Facial recognition can be used to enter a building or conduct video surveillance, enhancing security measures and allowing employers to monitor their employees.
Employers may find many reasons and benefits to leveraging biometrics in the workplace. However, before doing so, they need to be aware that this technology can pose legal compliance challenges. Employers using biometrics should be mindful of legal considerations pertaining to employee privacy.
Legal risks of using biometrics: federal privacy laws
Under federal law, the Americans with Disabilities Act (ADA), Health Insurance Portability and Accountability Act (HIPAA), and Genetic Information Nondiscrimination Act (GINA) can all apply to the use of biometrics in certain situations. The ADA requires employers to keep medical information private and maintain it as a “confidential medical record” separate from other employee files and in a location that’s accessible only to authorized personnel.
The ADA also protects employee medical information from being disclosed to third parties. HIPAA, which includes biometric information in its definition of “personally identifiable information,” has medical information privacy and security requirements that generally apply to “covered entities”—namely, health plans, healthcare information clearinghouses, and healthcare providers—but many HIPAA requirements also apply to a covered entity’s “business associates.” GINA prohibits employers from discriminating against employees or applicants based on genetic information about employees, applicants, former employees, or their family members.
Legal risks of using biometrics: state laws
Many state laws also provide protection for biometric information in a number of ways, including general and biometric-specific privacy laws, identity theft laws, and security breach laws.
Illinois
Illinois’s Biometric Information Privacy Act regulates the collection, use, storage, retention, and destruction of biometric information. A company that possesses biometric identifiers or biometric information must develop a written biometrics policy establishing a retention schedule and guidelines for permanently destroying biometric information. Individuals must be informed that their information is being collected, as well as be informed of the purpose for collection, how long it will be kept, and how to obtain a written release.
Texas
The Texas Business and Commerce Code provides that an individual’s biometric identifier may not be captured for commercial purposes without prior notice and consent. An employer that possesses an employee’s biometric identifier must destroy the biometric identifier within a reasonable time, but no later than 1 year after the purpose for collecting the identifier ends. If an employer collects a biometric identifier for security purposes, the purpose is presumed to expire when the employment relationship ends.
Colorado
The Colorado Privacy Act has specific requirements and limitations pertaining to the collection of employee biometric information, requiring informed consent, adoption of a written biometric policy with a retention schedule and deletion guidelines, and security protocols. Employers may only require consent as a condition of employment for the following reasons: to permit access to secure locations, hardware, and software; for timekeeping; to improve or monitor workplace safety or security; or to improve or monitor public safety or security in crisis or emergency circumstances. For all other purposes, employers are required to obtain prior consent and may not condition employment upon consent. Other provisions of the Act don’t apply to employers because the Act defines “consumer” to exclude employees and job applicants.
Washington
The Washington Revised Code prohibits an employer from storing biometric identifiers in a database for a commercial purpose without notice, consent, or a mechanism to prevent their subsequent commercial use. However, notice and consent aren’t required to store biometric identifiers for security purposes. Employers must take reasonable care to guard against unauthorized access and keep the identifiers for no longer than reasonably necessary.
Additional state laws
Consumer privacy laws exist in most states. They protect a consumer’s private information and require businesses to take steps to keep personal information secure and to inform consumers what types of information they collect and how it’s being used. While most of them either exclude employee information from their definition of protected personal information or don’t protect biometric information, California and Oregon have consumer privacy laws that protect employees’ personal information, including biometric information.
Identity theft laws make it illegal for someone to use another’s personal identifying information to obtain things like money, credit, goods, and services. States that incorporate biometric information in their identity theft law’s definition of protected personal information include Wisconsin, South Dakota, Virginia, Connecticut, the District of Columbia, and New Mexico.
Security breach laws impose certain requirements on businesses that collect personal information and ensure they take steps to safeguard such information and notify individuals whose information is accessed because of a security breach. States with security breach laws that incorporate biometric information in their definition of personal identifying information include Oregon, South Dakota, Vermont, Washington, Wisconsin, Wyoming, Arizona, Arkansas, Colorado, Delaware, the District of Columbia, Illinois, Louisiana, Maryland, Nebraska, New Mexico, and New York.
Steps employers should take
There are a number of recommended steps that employers who use employees’ biometric information can take. Employers should establish written privacy policies and procedures describing the types of biometric data being collected; how it’s being collected, stored, and used; and retention and destruction measures.
It’s a best practice to obtain written consent from employees before collecting their biometric information, as well as to provide employees with written notice regarding the purpose of such collection. Employers should have security measures and safeguards in place, limit access, and have disposal procedures and timelines. Biometric information should only be used for the purpose for which it was collected. If there are third-party vendors involved in the collection and usage of biometric information, employers should make sure vendors have appropriate confidentiality and data security measures in place.
