Information Centre

Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose

 


Date: 13 July 2009
Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose

1.    The Privacy Commissioner for Personal Data ("the Commissioner") Mr. Roderick B. Woo published today (13 July) a report ("the Report") on the result of an investigation of a complaint case carried out pursuant to section 38(a) of the Personal Data (Privacy) Ordinance ("the Ordinance").

2.    The case concerned the collection and recording of employees' fingerprint data for attendance purpose by a furniture company ("the Company").  After careful consideration of all the relevant facts, the Commissioner found that the Company's act of collecting employees' fingerprint data for attendance purpose was excessive and the means of collection was unfair, thus contravening the requirements of Data Protection Principle ("DPP") 1(1) and DPP1(2) of Schedule 1 to the Ordinance.  The Commissioner therefore served an enforcement notice on the Company pursuant to section 50 of the Ordinance directing it to cease collecting its employees' fingerprint data (unless prior express consent was given voluntarily by individual employee) and to destroy all fingerprint data so collected immediately.  Upon receipt of the enforcement notice, the Company stopped collecting its employees' fingerprint data, substituted passwords for fingerprints for recording attendance, and destroyed the fingerprint data in the system.

3.    In the wake of technological advancements, electronic devices can collect and store large volume of personal data.  However, improper handling may lead to personal data privacy problems, especially when sensitive personal data (e.g. fingerprints) are handled. Being a unique personal identifier, fingerprint data are irrevocable or unchangeable.  The harm caused by theft or unauthorized access, processing or use may be very serious and prominent.

4.    Mr. Woo commented on this case, "Before deciding to collect employees' fingerprint data, employers have to carry out careful assessment to ensure compliance with the requirements of the Ordinance, especially DPP1(1), i.e. the data are collected for a lawful purpose directly related to a function or activity of the employer, and in relation to that purpose, the fingerprint data are adequate but not excessive.  Employers also need to carefully assess whether the advantages of collecting employees' fingerprint data is outweighed by the attendant disadvantages."

5.    Mr. Woo reminded employers that if they contravened the requirements of the Ordinance, they had to bear the civil liability in damage of paying compensation to the employees.  Under section 66 of the Ordinance, a data subject who suffers damage (including injury to feelings) by reason of a contravention of a requirement under the Ordinance by a data user shall be entitled to compensation from that data user for that damage.

6.    In addition to this case, the Office of the Privacy Commissioner for Personal Data ("the PCPD") has handled a number of cases in relation to the collection of fingerprint data.

7.    A primary school used a fingerprint recognition system for recording its pupils' attendance, provision of library service and purchase of lunch.  Although the school emphasized that all its pupils provided their fingerprint data voluntarily, the Commissioner considered that the school had contravened the requirements of DPP1.  Mr. Woo explained, "We respect the decision of a data subject to provide his fingerprints voluntarily for a specific purpose.  However, it is essential that the consent must be made voluntarily and explicitly, otherwise it would not be treated as a genuine and valid consent.  It is crucial whether the data subject possesses the requisite mental capacity to understand the adverse impact brought by the provision of his fingerprints.  Moreover, data users should not collect fingerprint data from minors indiscriminately because this may weaken their awareness of protecting their personal data privacy in future."

8.    A company collected its employees' fingerprint data for attendance and security purposes by using a fingerprint recognition system.  Upon investigation, the PCPD found that the company did not offer a free choice to its employees in the provision of their fingerprint data, and did not inform them of the purpose of collection and whether there were any other options.  The Commissioner was of the view that the collection of employees' fingerprint data by the company was unnecessary and excessive.  Subsequently, the company took remedial action by allowing its employees to use passwords as a substitute for fingerprint data.

9.    However, if the system has not actually collected employees' "personal data", it is not within the jurisdiction of the Ordinance or the Privacy Commissioner.  For example, there is a kind of fingerprint recognition system that can convert certain features of the fingerprint into a unique value and store it in the smart card held by an employee.  For verification, the employee needs to put his finger and the smart card on the recognition system.  As the employer has not collected employees' fingerprint data or the value, he has not collected any "personal data" as defined in the Ordinance.

10.    In summary, the PCPD is of the view that:

(1)    Organizations should not collect fingerprint data merely for attendance purpose.  Whether or not features of the fingerprints are converted into value, such an act amounts to collection of excessive personal data and contravenes the requirements of DPP1(1), unless the genuine consent of the data subject has been obtained;

(2)    If a data subject provides his fingerprint data voluntarily for a particular purpose, the application of the DPPs should not override the data subject's right to information self-determination.  The PCPD will respect his consent  if given voluntarily and explicitly;

(3)    Fingerprint data should not be collected from minors, regardless of any consent given by them (see paragraph 7 above);

(4)    Before collecting employees' fingerprint data for attendance purpose, employers must offer employees a free choicein providing their fingerprint data, and they must be informed of the purpose of collection and given other less privacy intrusive options (e.g. using smart cards or passwords);

(5)    The means of collecting employees' fingerprint data must be fair.  Employees should give their consent voluntarily to the collection of their fingerprint data without undue pressure from the employer and having the choices of other options; otherwise there may be contravention of the requirements of DPP1(1) and DPP1(2).

(6)    If the act does not involve the collection of "personal data", it is outside the jurisdiction of the Ordinance or the Privacy Commissioner.

11. The Report is available for download from PCPD's website (www.pcpd.org.hk/english/publications/invest_report.html), and copies can also be collected at the Commissioner's Office.


Supplemental to the earlier press release released today


1.    The Privacy Commissioner Mr. Roderick B Woo issued an investigation report today in the accompanying press release mentioned a primary school which at one time used a fingerprint recognition system for recording its pupils' attendance, provision of library service and purchase of lunch.

2.    In that case, the PCPD explained to the school the provisions and requirements of the Personal Data (Privacy) Ordinance.  The school responded that as educators they were very concerned about protecting students' personal data privacy and would set a good example in handling their personal data with great care.  Afterwards, the school ceased using the fingerprint reader system and destroyed all the fingerprint data of pupils.  Mr. Woo said, "I was pleased that the school followed my advice and took swift remedial action.  I was very satisfied with the end result."




END







 

Back to top

End of Page

[Media Statement] [Speeches, Articles & Papers] [Exhibition Materials] [Other Related Websites] [Archive] [Other Resources] [On-line Self Training] [Submissions to Public Consultation] [Privacy Commissioner's response following former Deputy Commissioner's conviction] [Response to the loss of medical data by Department of Health] [Privacy Commissioner commits himself to securing patients' data] [Privacy Commissioner commences inspection against Hospital Authority] [Response to data leakage by Immigration Department] [Response to data loss by HSBC] [Privacy is Your Business International Privacy Video Competition] [Privacy Commissioner strives to promote protection of personal data privacy] [Response following former Deputy Commissioner's conviction] [The Privacy Commissioner's clarification on criminalizing data leakage] [The Privacy Commissioner responds to media report today that] [Response to data leakage by the Police] [Progress of Inspection Against Hospital Authority] [The Director of Immigration Department signed formal undertaking] [Speech by Privacy Commissioner at the special meeting of Legislative Council Panel on Home Affairs] [Response to data loss incidents by The Hongkong and Shanghai Banking Corporation Limited] [The Privacy Commissioner completes the Inspection of the Hospital Authority's Personal Data System] [Privacy Commissioner Publishes Inspection Report on Hospital Authority] [Privacy Commissioner explains recommendations on the protection of patients' data privacy] [Privacy Commissioner accepts an Undertaking by HSBC] [Privacy is Your Business International Privacy Video Competition Prize Presentation Ceremony] [Response to Judgment of judicial review application by Cathay Pacific] [Privacy Commissioner welcomes HA's effort to enhance patient data privacy] [Statement by the Privacy Commissioner Following the Judgment made in HCAL 50/2008] [PCPD received a letter from CX Flight Attendants Union] [Impact of Technology on Data Privacy] [Privacy Commissioner responds to taxi industry's proposal of installing CCTVs in taxis] [United Christian Hospital's loss of patients' data] [Privacy Commissioner hosts the 31st APPA Forum] [Privacy Commissioner urges job seekers to be careful when providing personal data] [Launch of a booklet on protection of personal data] [Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose] [The Recruitment of Deputy Privacy Commissioner (DPC)] [Response to Media Report on the Use of Fingerprint Recognition System by a School] [Privacy Commissioner Responds to Public Enquiries about the Issue of] [Investigation Report: Tutorial Centre Using a Student's Results Notice for Promotion without the Student's Consent] [Privacy Commissioner Welcomes Hospital Authority's New Measures on the Protection of Patients' Personal Data] [Investigation Report: Food Company Collecting Participants' Personal Data in Lucky Draw Activity] [Privacy Commissioner Responds to] [The need to ensure that individuals are identified by the correct personal identifiers: the case of identification of new born babies] [Public Consultation on Ordinance Review] [] [Response to Media Report on Searching for Others' Personal Data on the Internet] [Privacy Commissioner attended the 31st International Conference of Data Protection and Privacy Commissioners] [Response to Media Enquiries] [The "Value-for-money" Audit Report on PCPD issued by the Director of AuditThe] [Protective measures taken by the Hospital Authority which enhance the protection of new born babies and the accuracy of their personal data] [The Privacy Commissioner issued two investigation reports on data access request fee charged by data users and the proper handling of personal data transferred by data users to their debt collection agency] [A personal statement by Roderick Woo, the Privacy Commissioner] [Office of the Privacy Commissioner for Personal Data's Annual Report won international awards for three consecutive years] [Privacy Commissioner Launches Privacy Awareness Week 2010] [Response to recent discussion about third parties' requests for patients data] [Opinion Survey: Senior Citizens' Attitudes and Perceptions towards Personal Data Privacy] [Public Seminar on] [Privacy Campaign for Insurers] [Google collected Wi-Fi data] [Google collected Wi-Fi data in Hong Kong] [Google collected Wi-Fi data in Hong Kong] [Privacy Commissioner attended the 33rd Asia Pacific Privacy Authorities Forum] [Privacy Commissioner responds to a local magazine's editorial on privacy issues] [Privacy Commissioner Publishes Guidance Note on Data Breach Handling and the Giving of Breach Notifications] [Privacy Commissioner responds to an opinion survey report on Octopus cards and privacy issues] [Privacy Commissioner's Finding against HSBC was set aside by the Administrative Appeals Board] [The Personal Data (Privacy) Ordinance and Octopus Card System] [Privacy Commissioner initiates investigation on the Octopus] [Privacy Commissioner Publishes Information Leaflet on Privacy Impact Assessment] [Privacy Commissioner published new revised edition of a book to provide in-depth interpretation] [The Privacy Commissioner gives interim report on the investigation of Octopus] [The Privacy Commissioner Completed the Compliance Check on Google's Collection of Wi-Fi Payload Data] [The Privacy Commissioner has completed a Privacy Compliance Assessment Report on the Smart Identity Card System] [Collection of Visitors' Fingerprint Data by a Theme Park] [Investigation Report: Beauty Centre Transferring a Client's Personal Data to a Third Party without the Client's Consent] [Hong Kong Letter - Roderick Woo, Privacy Commissioner for Personal Data] [Mr. Allan Chiang took office as Privacy Commissioner] [A short video introducing the Personal Data (Privacy) Ordinance] [Privacy Commissioner reminds data users of the requirements of the Ordinance when engaging direct marketing activities] [PCPD joined APEC Cross-border Privacy Enforcement Arrangement] [Privacy Commissioner discussed organizations’ collection and use of personal data for direct marketing with a political commentary group] [Amended Data Access Request Form takes effect] [Response to media reports on the attendance records of the Personal Data (Privacy) Advisory Committee] [Privacy Commissioner completed investigation on Octopus Holdings Ltd] [Multi-media Information] [Investigation Report – Octopus Rewards Program] [Privacy Commissioner publishes Guidance on the Collection and Use of Personal Data in Direct Marketing] [Privacy Commissioner responds to Government's proposals on Review of the Personal Data (Privacy) Ordinance] [PCPD's Statement regarding investigations into the Octopus Group of Companies] [Hong Kong Letter - Allan Chiang, Privacy Commissioner for Personal Data] [Investigation Report: A Telecommunications Company Authorized Another Company to Conduct Telemarketing] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of a personal data privacy case when he was Postmaster General in 2005] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of personal data privacy cases when he was Postmaster General from 2003 to 2006] [Online Survey of the] [PCPD's Submission in response to Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance] [The Sharing of Mortgage Data for Credit Assessment] [Public Forum on Proposed Revisions to the Code of Practice on Consumer Credit Data] [Privacy concerns about resumption of Google Street View car operation] [Public Consultation on the Sharing of Mortgage Data for Credit Assessment Ended] [Consumer Roadshow on Protection of Personal Data] [Consultation Report on the Sharing of Mortgage Data for Credit Assessment] [Amendments to Code of Practice on Consumer Credit Data To Take Effect]

[About PCPD] [The Ordinance] [PCPD Activities] [Information Centre] [Personal Data Privacy Liberal Studies] [Privacy Zone for Youngsters]
[Publications & Videos] [Enquiries & Complaints] [Case Notes] [Contact Us] [Search] [Site Directory] [Graphical Version]
[Chinese Version]

Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer