Responsible Use of Biometrics

November 1, 2022
|
Privacy

What are Biometrics?

In the context of facial recognition, your biometrics are a series of facial measurements (eg: the distance between your eyes, the distance between your nose and your mouth, the width of your mouth, etc) that together can be used to uniquely identify you.

Why are Biometrics Special?

Biometrics are a permanent form of identification. That is, unlike most forms of identification (eg: phone numbers, drivers licenses, social security numbers, etc), a person cannot change their face, and their biometrics will always be able to identify them. Biometrics are therefore considered a special form of personal information that requires extra protection and responsible use.

What are your Responsibilities?

While there is certainly a moral responsibility to protect your employee's personal information, there is also a legal responsibility.

Regulations have emerged around the world that govern the use of biometrics, including general privacy regulations such as:

  • The California Consumer Privacy Act (CCPA)
  • The General Data Protection Regulation (GDPR)
  • The Australian Privacy Act.

There are also regulations that relate specifically to the use of biometrics, particularly state based regulations in the United States, such as:

  • Illinois Biometric Privacy Act (BIPA)
  • Texas Capture or Use of Biometric Identifiers Act (CUBI)

If you are recommending, using, or planning to use biometrics, it is important that you understand the local privacy regulations and biometric regulations that apply to you.

NoahFace has published a number of guides (on our Privacy and Security page) that can help you with that understanding.

For a more general introduction and recommendations, read on.

Do I need employee consent to capture biometrics?

The answer to this is an emphatic yes. In every jurisdiction we are aware of, you must have consent from employees in order to capture their biometrics.

The detailed consent requirements differ by locality, but as a generalisation:

  • You must disclose that you intend to capture biometrics at the point of capture and before they are captured.
  • Disclosures must explain why biometrics are captured, what they are used for, and how long they are kept.
  • Disclosures must be simple and in the language generally used in the workplace.
  • Consent must be voluntary.

To address these requirements, NoahFace provides a built-in consent screen that is displayed as part of the user registration process:

NoahFace will only capture and store an employees biometrics after they press "Accept", and the date and time at which they consented is recorded.

Recommendations:

We recommend that you review your NoahFace setup and ensure you are using the provided consent screen. This is enabled on each of your Access Point Types:

You should only disable this setting if you are explicitly obtaining consent outside of the NoahFace platform - for example, in your employment agreements.

We also recommend that you upgrade your NoahFace App to the latest release. There have been several revisions to the language used in the consent screen over time to address specific requirements in evolving biometric regulations, and it is important that you are up to date with these revisions.

Finally, we also recommend you review your local regulations and ensure that you are satisfied that the standard wording addresses your requirements. If necessary, you can add additional disclosures that are specific to your local region.

What can I do if individual employees do not consent?

Most employees do consent to the use of biometrics, because they can see the clear benefits in doing so (eg: speed and ease of clocking in and out). However, it is possible that some individuals do not, citing general concerns over privacy, religious objections to having their photograph taken, or other reasons. Since consent to capture biometrics must be voluntary, you need to decide how those employees will record their time.

Within NoahFace, your options include allowing individual employees to be identified by:

  • Passcodes
  • QR Codes
  • Access Cards

Outside of NoahFace, you could even allow individual employees to record their time on paper timesheets.

Recommendations:

We recommend you review your policies and ensure that you are providing employees with a non-biometric identification alternative, should they request it.

You may also like to review the following Tech Notes:

which explain how to configure NoahFace to allow individual employees to be identified using passcodes and QR codes respectively.

How long should I retain biometrics?

In most jurisdictions, you are required to destroy biometrics as soon as either:

  • The purpose for which you captured them (ie: to allow employees to clock in/out efficiently) no longer exists.
  • Employees remove their consent for you to keep them.

Generally this means that as soon as an employee leaves, you must destroy their biometrics. In addition to this, you need to be prepared to destroy their biometrics if they ask you to.

Recommendations:

We recommend you review your Biometrics Destruction setting, found in the NoahFace Dashboard under Security Settings:

Setting this to "Immediate" means that biometrics are permanently destroyed as soon as an employee is removed from NoahFace. This is the default setting for new NoahFace customers, and it will help you comply with a large number of regulations around the world. This is particularly recommended if you are operating in the United States, where there are many state based regulations with differing requirements.

Setting this to "After Retention" means that biometrics are only destroyed when other employee data (such as clocking events) is destroyed, which is typically 3 months or more after an employee is removed from NoahFace. There are only a few regulations that allow for this, so you should only use this option if you have carefully considered your local regulations and you have a specific need (eg: you often re-hire employees).

You may also like to review the following Tech Note:

so you are prepared to respond if an individual employee ever removes their consent for you to use their biometrics.

Want to know more?

There are many sources for information on privacy and biometrics, including:

We would encourage you to reference all of these sources, review in detail your local regulations, and to adopt the responsible use of biometrics.