PCPD - Privacy Commissioner Responds to Public Enquiries about the Issue of

Privacy Commissioner Responds to Public Enquiries about the Issue of “Employer Collecting Employees’ Fingerprint Data for Attendance Purpose”

1.   Since the publication of a report on the collection and recording of employees’ fingerprint data for work attendance purpose by the Privacy Commissioner for Personal Data (“the Commissioner”) on 13 July, the Office of the Privacy Commissioner for Personal Data ("the PCPD") has received numerous enquiries. The following are the questions commonly asked. The Commissioner believes that by publishing the answers to them can help the public to better understand the stance of the PCPD.

2.   According to the Data Protection Principle ("DPP") of the Personal Data (Privacy) Ordinance ("the Ordinance") on the collection of personal data (including fingerprint data), personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user, the means of collection must be lawful and fair, and the data collected adequate but not excessive.

Can employers collect employees' fingerprint data for attendance purpose?

3.   If employers collect employees' fingerprint data for recording attendance purpose (without complying with the requirements below), they may contravene DPP1(1) and DPP1(2). However, if employees provide their fingerprint data voluntarily, the PCPD will respect their right to information self-determination and will not interfere. Even so, employers must:
(i)   inform the employees of the purpose of collection;
(ii) collect employees' fingerprint data by lawful and fair means. The employee's consent must be given voluntarily. There should be no pressure from the employer who should also provide other less privacy intrusive options to employees (e.g. smart cards or passwords).

What steps must employers take before installating fingerprint recognition systems?

4.   Before deciding to collect employees' fingerprint data for monitoring employees' attendance, employers must carefully consider whether it is necessary to do so and adopt good practices which should include consultation with employees, provision of less privacy intrusive options (e.g. smart cards or passwords), implementation of privacy protective measures (e.g. data cannot be downloaded from the server; the server containing the data must be placed in high security area), formulation of privacy policies (e.g. specify the duration of retention of data), and control measures (e.g. only authorized staff is allowed to access the data in the system) and generally, to ensure compliance with the DPPs of the Ordinance. They must not require those employees who withhold their consent to use the system.

Does collection of selected features of fingerprints constitute collection of "personal data"?

5.   Some technology suppliers claim that since their fingerprint recognition systems only collect certain features of the fingerprint (and not the entire image), and these are then converted into a template, the systems do not in fact collect the fingerprints of the data subjects, hence no collection of "personal data". It should however be noted that biometric systems usually collect only some features of the human body for analysis and comparison. It cannot be said that the collection of these features does not amount to collection of "personal data". As an employee's biometric data are unique and the employer holds some other data of the employees, the identity of the employee can be directly ascertained. The truth is that the employer uses such a system to identify the employee who put his finger on the recognition system. Plainly, there is a collection of "personal data" relating to the employee concerned.

Must employers have to dismantle fingerprint recognition systems already installed?

6.   The PCPD does not demand all employers to dismantle fingerprint recognition systems already installed for attendance monitoring purpose. However, they should review if they have obtained the voluntary consent of their employees, offered them other options and complied with the DPPs of the Ordinance, including accuracy and duration of retention of data, and the use and security of fingerprint data. The system should not apply to those employees whose voluntary consent have not been given. Their fingerprint data, if previously collected, should be erased.

Can employers collect employees' fingerprint data for protection of business assets?

7.   Employers may install fingerprint recognition systems for protection of their business assets such as secret/sensitive data or highly valuable items. The system should only be installed and operated in high security or restricted areas, and only fingerprint data of the employees permitted to enter such areas are to be collected. Even so, employers still need to comply with the relevant DPPs.

Can employers collect employees' palm prints or iris patterns for attendance purpose apart from "fingerprint data"?

8.   If employers collect employees' palm prints or iris patterns for monitoring attendance purpose, they must comply with the requirements and steps mentioned in paragraphs 3 and 4.

Can schools collect young children's fingerprint data for attendance purpose?

9.   The Commissioner objects in principle to the collection of fingerprint data from young school children. The Commissioner is concerned that they may not possess the requisite mental capacity to clearly understand the adverse impact brought by the collection and use of their fingerprint data. The Commissioner said, "Schools should not collect fingerprint data from young children indiscriminately. Young children represent the next generation and I believe that schools should instill a sense of privacy rights protection in them. If they are required to give away their fingerprint data in schools just for attending classes, their privacy awareness will be weakened." Collection of students' fingerprint data merely for attendance purpose is unnecessary and excessive contrary to the requirements of DPP1(1) of the Ordinance. Schools should consider using other less privacy intrusive methods.

END