Use of camera with facial recognition function for attendance recording and security purpose – Data Protection Principle 1
The complainant was a teacher. He was dissatisfied that his employer, a school, installed a camera with facial recognition function at the school entrance for attendance recording and security purpose without his knowledge and consent.
For collection of biometric data, PCPD is of the view that biometric data is sensitive data and data users must first consider the necessity of collecting such data. Data users must consider whether it is feasible to collect less sensitive data to achieve the same purpose. The means of collection must be fair in the circumstances, so data users have the obligations to ensure that data subjects are given a free and informed choice to choose whether to have their biometric data collected.
In this case, PCPD learnt that for security purpose, a closed-circuit television system had already been installed at the school entrance with a security guard stationed there. For attendance recording purpose, teachers were required to use access cards to enter and leave the school. PCPD also noted that the school had not given its employees a free and informed choice on the collection of their images by the camera.
Although the school stated that the installation of the camera was just for initial testing and it had subsequently removed the camera, PCPD considered that the school still needed to comply with the privacy protection requirements on handling biometric data. PCPD strongly advised the school to consider whether there are any less privacy intrusive alternatives to the collection of employees’ biometric data in future and formulate privacy policies for compliance with the PDPO.
In the digital era, the technology of using artificial intelligence to identify individuals is getting more sophisticated. Many employers may wish to use the technology for enhancing security and facilitating staff monitoring. Biometric data (e.g. DNA samples, fingerprints, facial features, etc.) is unique and immutable, and when it was being consolidated and analysed, a particular individual can be uniquely identified, so it is personal data under the PDPO and is regulated by the PDPO.
In this case, if the employer simply wanted to enhance security and facilitate monitoring of employees’ attendance, the employer should first consider adopting other less privacy intrusive alternatives to the collection of biometric data. If employers do not adopt these alternatives, they must have overriding reasons to justify the collection of biometric data and provide their employees with a choice to allow such collection or handling of their biometric data. Based on the principles of enhancing transparency and explainability, employers should inform all the affected employees of collection of biometric data in a simple and easily understandable way. Trust with employees can then be built.
Undoubtedly, technologies and artificial intelligence bring forth benefits and convenience. However, when the technologies involve collection or use of personal data, data users must carefully strike a balance between the benefits and protection of personal data privacy. While technologies are being used to facilitate businesses, individuals’ privacy right should also be respected.
(Uploaded in September 2020)