What exactly is Biometric Data?
Under the Data Protection Act, 2019 (DPA), biometric data is any data based on your physical, physiological, or behavioral traits, and it constitutes sensitive personal data. Examples include fingerprints, DNA, voice and facial recognition, voice patterns, and iris scans.
Because of its sensitive nature, it requires extra security and special processing to protect your rights and fundamental freedoms.
The General Rule: Explicit Consent should be obtained
According to the ODPC Guidance Note, employers wishing to use biometric or CCTV technology must notify employees and obtain their explicit consent before processing the data.
The consent should be transparent and specify why the data is being collected, where the collection is taking place, and how it will be used. It should not be used for other purposes not disclosed to the employees.
Example: If a CCTV camera is installed for security at the door, it cannot be used to monitor your lunch breaks or your other movements without your permission.
- The golden rule is that when using biometric access technology, employers should use the least intrusive means possible to achieve the desired objective.
Can they use your data WITHOUT consent?
Yes, but only in exceptional and justifiable circumstances.
Even if you haven’t given express consent for a specific use, an employer may process your biometric data if the employer has legitimate interests to do so. However, this must be:
- Done strictly on a case-by-case basis.
- Necessary and proportionate to the circumstances. For instance, biometric data may be needed to investigate a theft, or other disciplinary matters.
- Limited in scope to the specific matter at hand.
In such instances, the employer’s legitimate interest may override the employee’s legitimate expectation of privacy.
When is Consent is not required?
Aside from legitimate interests of the employer, the DPA recognizes other lawful bases where an employer or entity can process your data without your express permission:
- Matters of public interest such as contact tracing during a disease outbreak, or monitoring and surveillance at a government building or other public areas to prevent crime or respond to emergencies.
- To protect the vital interests of the data subject, such as in medical emergencies where you cannot give consent.
- To fulfil a legal mandate, for instance, if a law or a court order specifically requires the processing of your data, the employer must comply regardless of individual consent.
- Matters of national interest, such as security threats to the State where biometric or CCTV data may be needed.
Even in these cases, the processing must still respect the principles of data minimization where only the data that is absolutely necessary should be used.
The Burden of Proof
If an employer uses your biometric or CCTV data for something you didn’t agree to, the burden of proof rests on the employer to prove that it was necessary and proportionate to that specific situation, and limited in use to that specific purpose.
The Takeaway
While consent is a key pillar for processing employees’ personal data, it is not superior to other legal grounds. There is no hierarchy among the lawful bases.
An employer can process data without consent if they have a valid, justifiable, and proportionate reason, but they must be ready to defend it before the ODPC.
Is your workplace ODPC compliant?
Contact us: info@hrfleek.com