Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose

1.    The Privacy Commissioner for Personal Data ("the Commissioner") Mr. Roderick B. Woo published today (13 July) a report ("the Report") on the result of an investigation of a complaint case carried out pursuant to section 38(a) of the Personal Data (Privacy) Ordinance ("the Ordinance").

2.    The case concerned the collection and recording of employees' fingerprint data for attendance purpose by a furniture company ("the Company").  After careful consideration of all the relevant facts, the Commissioner found that the Company's act of collecting employees' fingerprint data for attendance purpose was excessive and the means of collection was unfair, thus contravening the requirements of Data Protection Principle ("DPP") 1(1) and DPP1(2) of Schedule 1 to the Ordinance.  The Commissioner therefore served an enforcement notice on the Company pursuant to section 50 of the Ordinance directing it to cease collecting its employees' fingerprint data (unless prior express consent was given voluntarily by individual employee) and to destroy all fingerprint data so collected immediately.  Upon receipt of the enforcement notice, the Company stopped collecting its employees' fingerprint data, substituted passwords for fingerprints for recording attendance, and destroyed the fingerprint data in the system.

3.    In the wake of technological advancements, electronic devices can collect and store large volume of personal data.  However, improper handling may lead to personal data privacy problems, especially when sensitive personal data (e.g. fingerprints) are handled. Being a unique personal identifier, fingerprint data are irrevocable or unchangeable.  The harm caused by theft or unauthorized access, processing or use may be very serious and prominent.

4.    Mr. Woo commented on this case, "Before deciding to collect employees' fingerprint data, employers have to carry out careful assessment to ensure compliance with the requirements of the Ordinance, especially DPP1(1), i.e. the data are collected for a lawful purpose directly related to a function or activity of the employer, and in relation to that purpose, the fingerprint data are adequate but not excessive.  Employers also need to carefully assess whether the advantages of collecting employees' fingerprint data is outweighed by the attendant disadvantages."

5.    Mr. Woo reminded employers that if they contravened the requirements of the Ordinance, they had to bear the civil liability in damage of paying compensation to the employees.  Under section 66 of the Ordinance, a data subject who suffers damage (including injury to feelings) by reason of a contravention of a requirement under the Ordinance by a data user shall be entitled to compensation from that data user for that damage.

6.    In addition to this case, the Office of the Privacy Commissioner for Personal Data ("the PCPD") has handled a number of cases in relation to the collection of fingerprint data.

7.    A primary school used a fingerprint recognition system for recording its pupils' attendance, provision of library service and purchase of lunch.  Although the school emphasized that all its pupils provided their fingerprint data voluntarily, the Commissioner considered that the school had contravened the requirements of DPP1.  Mr. Woo explained, "We respect the decision of a data subject to provide his fingerprints voluntarily for a specific purpose.  However, it is essential that the consent must be made voluntarily and explicitly, otherwise it would not be treated as a genuine and valid consent.  It is crucial whether the data subject possesses the requisite mental capacity to understand the adverse impact brought by the provision of his fingerprints.  Moreover, data users should not collect fingerprint data from minors indiscriminately because this may weaken their awareness of protecting their personal data privacy in future."

8.    A company collected its employees' fingerprint data for attendance and security purposes by using a fingerprint recognition system.  Upon investigation, the PCPD found that the company did not offer a free choice to its employees in the provision of their fingerprint data, and did not inform them of the purpose of collection and whether there were any other options.  The Commissioner was of the view that the collection of employees' fingerprint data by the company was unnecessary and excessive.  Subsequently, the company took remedial action by allowing its employees to use passwords as a substitute for fingerprint data.

9.    However, if the system has not actually collected employees' "personal data", it is not within the jurisdiction of the Ordinance or the Privacy Commissioner.  For example, there is a kind of fingerprint recognition system that can convert certain features of the fingerprint into a unique value and store it in the smart card held by an employee.  For verification, the employee needs to put his finger and the smart card on the recognition system.  As the employer has not collected employees' fingerprint data or the value, he has not collected any "personal data" as defined in the Ordinance.

10.    In summary, the PCPD is of the view that:

(1)    Organizations should not collect fingerprint data merely for attendance purpose.  Whether or not features of the fingerprints are converted into value, such an act amounts to collection of excessive personal data and contravenes the requirements of DPP1(1), unless the genuine consent of the data subject has been obtained;

(2)    If a data subject provides his fingerprint data voluntarily for a particular purpose, the application of the DPPs should not override the data subject's right to information self-determination.  The PCPD will respect his consent  if given voluntarily and explicitly;

(3)    Fingerprint data should not be collected from minors, regardless of any consent given by them (see paragraph 7 above);

(4)    Before collecting employees' fingerprint data for attendance purpose, employers must offer employees a free choicein providing their fingerprint data, and they must be informed of the purpose of collection and given other less privacy intrusive options (e.g. using smart cards or passwords);

(5)    The means of collecting employees' fingerprint data must be fair.  Employees should give their consent voluntarily to the collection of their fingerprint data without undue pressure from the employer and having the choices of other options; otherwise there may be contravention of the requirements of DPP1(1) and DPP1(2).

(6)    If the act does not involve the collection of "personal data", it is outside the jurisdiction of the Ordinance or the Privacy Commissioner.

11. The Report is available for download from PCPD's website (www.pcpd.org.hk/english/publications/invest_report.html), and copies can also be collected at the Commissioner's Office.


Supplemental to the earlier press release released today


1.    The Privacy Commissioner Mr. Roderick B Woo issued an investigation report today in the accompanying press release mentioned a primary school which at one time used a fingerprint recognition system for recording its pupils' attendance, provision of library service and purchase of lunch.

2.    In that case, the PCPD explained to the school the provisions and requirements of the Personal Data (Privacy) Ordinance.  The school responded that as educators they were very concerned about protecting students' personal data privacy and would set a good example in handling their personal data with great care.  Afterwards, the school ceased using the fingerprint reader system and destroyed all the fingerprint data of pupils.  Mr. Woo said, "I was pleased that the school followed my advice and took swift remedial action.  I was very satisfied with the end result."




END