Media Statements

Excessive and Unfair Collection of Employees’ Fingerprint Data by a Fashion Trading Company for Monitoring Staff Attendance

(21 July 2015) The Office of the Privacy Commissioner for Personal Data (“PCPD”) today published an investigation report on the collection of employees’ fingerprint data by Queenix (Asia) Limited, a fashion trading company (“Company”), for safeguarding office security and monitoring staff attendance. PCPD considered such data collection excessive and unfair.

2. At the press conference held today, Mr Allan Chiang, the Privacy Commissioner for Personal Data (“Commissioner”) said, “As the use of the fingerprint recognition devices becomes increasingly common, it is imperative that privacy and data protection are not compromised. The use of fingerprint recognition devices by the Company is a vivid example of preferring the convenience and affordability of such devices to the neglect of the underlying privacy concerns. The case illustrates how privacy rights could be sacrificed on the altar of technology if people fail to understand and assess the privacy risks which technology can generate. Technology is certainly to be embraced because it works wonders but irresponsible use of technology must be discouraged.”

The Commissioner’s Findings and Determination

3. The Commissioner has the following observations:-

1. Given the uniqueness and immutability of fingerprint data it must be protected against identity theft or misappropriation. Hence it should be collected and used only when justified.
2. The Company had already installed several security devices to safeguard its property, including CCTV cameras, digital locks, ordinary door locks and a chain lock. These all render the fingerprint recognition devices redundant as a night-time security device.
3. The Company had experienced several day-time theft incidents which were all committed by its staff and customers. As such, the installation of the fingerprint recognition devices to prevent unauthorised entry would not help prevent these thefts. The existing CCTV cameras, which detected the thefts and identified the culprits, appear to be a more effective security means.
4. The Company had only 20 employees. Hence it would be relatively easy to monitor staff attendance using less privacy intrusive means instead of the use of a fingerprint recognition device. These alternative means, such as a password or a smartcard, could well involve no additional collection or retention of personal data.

4. Based on these findings, the Commissioner finds the collection of employees’ fingerprint data by the Company was excessive, thereby contravening Data Protection Principle (“DPP”)1(1) of the Personal Data (Privacy) Ordinance.

5. The Commissioner also finds the data collection unfair in the circumstances of the case, as the employees were neither provided with the choice to opt for other alternatives to fulfil the purposes of safeguarding office security and monitoring staff attendance, nor informed of the privacy risks involved and the measures to prevent wrongful collection and misuse. This is tantamount to a contravention of DPP1(2).

Enforcement Action

6. An Enforcement Notice was served on the Company directing it to destroy all fingerprint data collected from the Company’s present and past employees, and to cease collecting its employees’ fingerprint data.

The Commissioner’s Recommendations

7. Fingerprint data is highly sensitive personal data because fingerprint is a unique physiological trait which an individual is born with. Fingerprint can irrefutably identify an individual and it remains unchanged throughout his lifetime. To mitigate against the privacy risks of identity theft or misappropriation, fingerprint data should be collected only when justified, and used with appropriate procedural and technological safeguards to prevent unauthorised access to and use of the data.

8. Before collecting fingerprint data, an organisation must satisfy itself that this is necessary to meet a specific need and there is no other less privacy-intrusive means which could be equally effective to serve the same need. A fingerprint recognition device should not be used simply because it is readily available, convenient and cost-effective. It may be an appropriate tool to control entry to high security areas but to apply it merely for checking staff attendance would be questionable.

9. Where the use of fingerprints is justified, the organisation would need to further consider the number of fingers that needs to be engaged and the amount of fingerprint data (in terms of minutiae and non-minutiae information) that needs to be collected to achieve a desired level of accuracy in identification or authentication of individuals. In general, the required data is directly proportional to the number of persons to be identified or authenticated.

10. Further, employers should not exert undue influence or threaten employees when seeking to gain the latter’s consent to collect their fingerprint data, as such conduct would amount to unfair collection of personal data. In this regard, one needs to bear in mind the disparity in bargaining power between an employer and his employees as the latter may hesitate to decline to provide his fingerprint when asked to do so. Hence, unless the employer offers to the employees options other than the collection of fingerprint data, the consent of the employees obtained might not be regarded as genuine. In addition, the consent must be unambiguous and informed. In other words, the employees have to be told of the privacy risks associated with the collection and use of fingerprint.

11. Further details on the procedural and technological safeguards for the collection and use of fingerprint data are found in the “Guidance on Collection and Use of Biometric Data” (www.pcpd.org.hk/english/resources_centre/publications/files/GN_biometric_e.pdf) published by the PCPD. The guidance provided also applies to other biometric data used for recognition purposes including DNA, retinal scans, facial image, palm vein image, and handwriting pattern.

Read the Investigation Reports online: (www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R15_2308_e.pdf)

-END-