Responds to Public Enquiries about the Issue of “Employer Collecting
Employees’ Fingerprint Data for Attendance Purpose”
1. Since the publication of a report on the
collection and recording of employees’ fingerprint data for work
attendance purpose by the Privacy Commissioner for Personal Data (“the
Commissioner”) on 13 July, the Office of the Privacy Commissioner for
Personal Data ("the PCPD") has received numerous enquiries. The
following are the questions commonly asked. The Commissioner
believes that by publishing the answers to them can help the public to
better understand the stance of the PCPD.
2. According to the Data Protection Principle ("DPP")
of the Personal Data (Privacy) Ordinance ("the Ordinance") on the
collection of personal data (including fingerprint data), personal data
shall only be collected for a lawful purpose directly related to a
function or activity of the data user, the means of collection must be
lawful and fair, and the data collected adequate but not excessive.
employers collect employees' fingerprint data for attendance purpose?
3. If employers collect employees' fingerprint data
for recording attendance purpose (without complying with the
requirements below), they may contravene DPP1(1) and DPP1(2).
However, if employees provide their fingerprint data voluntarily, the
PCPD will respect their right to information self-determination and
will not interfere. Even so, employers must:
(i) inform the employees of the purpose of collection;
(ii) collect employees' fingerprint data by lawful
and fair means. The employee's consent must be given voluntarily.
There should be no pressure from the employer who should also provide
other less privacy intrusive options to employees (e.g. smart cards or
steps must employers take before installating fingerprint recognition
4. Before deciding to collect employees' fingerprint
data for monitoring employees' attendance, employers must carefully
consider whether it is necessary to do so and adopt good practices
which should include consultation with employees, provision of less
privacy intrusive options (e.g. smart cards or passwords),
implementation of privacy protective measures (e.g. data cannot be
downloaded from the server; the server containing the data must be
placed in high security area), formulation of privacy policies (e.g.
specify the duration of retention of data), and control measures (e.g.
only authorized staff is allowed to access the data in the system) and
generally, to ensure compliance with the DPPs of the Ordinance. They
must not require those employees who withhold their consent to use the
collection of selected features of fingerprints constitute collection
of "personal data"?
5. Some technology suppliers claim that since their
fingerprint recognition systems only collect certain features of the
fingerprint (and not the entire image), and these are then converted
into a template, the systems do not in fact collect the fingerprints of
the data subjects, hence no collection of "personal data". It
should however be noted that biometric systems usually collect only
some features of the human body for analysis and comparison. It
cannot be said that the collection of these features does not amount to
collection of "personal data". As an employee's biometric data
are unique and the employer holds some other data of the employees, the
identity of the employee can be directly ascertained. The truth
is that the employer uses such a system to identify the employee who
put his finger on the recognition system. Plainly, there is a
collection of "personal data" relating to the employee concerned.
employers have to dismantle fingerprint recognition systems already
6. The PCPD does not demand all employers to
dismantle fingerprint recognition systems already installed for
attendance monitoring purpose. However, they should review if
they have obtained the voluntary consent of their employees, offered
them other options and complied with the DPPs of the Ordinance,
including accuracy and duration of retention of data, and the use and
security of fingerprint data. The system should not apply to those
employees whose voluntary consent have not been given. Their
fingerprint data, if previously collected, should be erased.
employers collect employees' fingerprint data for protection of
7. Employers may install fingerprint recognition
systems for protection of their business assets such as
secret/sensitive data or highly valuable items. The system should
only be installed and operated in high security or restricted areas,
and only fingerprint data of the employees permitted to enter such
areas are to be collected. Even so, employers still need to comply with
the relevant DPPs.
employers collect employees' palm prints or iris patterns for
attendance purpose apart from "fingerprint data"?
8. If employers collect employees' palm prints or
iris patterns for monitoring attendance purpose, they must comply with
the requirements and steps mentioned in paragraphs 3 and 4.
schools collect young children's fingerprint data for attendance
9. The Commissioner objects in principle to the
collection of fingerprint data from young school children. The
Commissioner is concerned that they may not possess the requisite
mental capacity to clearly understand the adverse impact brought by the
collection and use of their fingerprint data. The Commissioner
said, "Schools should not collect fingerprint data from young children
indiscriminately. Young children represent the next generation and I
believe that schools should instill a sense of privacy rights
protection in them. If they are required to give away their
fingerprint data in schools just for attending classes, their privacy
awareness will be weakened." Collection of students' fingerprint
data merely for attendance purpose is unnecessary and excessive
contrary to the requirements of DPP1(1) of the Ordinance. Schools
should consider using other less privacy intrusive methods.