From time to time we receive questions from organisations about how implementing a time and attendance system that captures biometric data can align with the requirements of the General Data Protection Regulation (GDPR).
Employers understand that GDPR has a wide-ranging effect on many aspects of their business. At first, many felt that GDPR legislation would be difficult to navigate; nevertheless, businesses have already learnt to do so. The same can be said for workforce management solutions, such as time and attendance and access control, which make use of biometric data to identify employees for purposes such as clocking in and out or granting access to a building.
Armed with an understanding of the basic principles of GDPR regarding biometric data capture, you can assure yourself that you are using processes that are compliant with the law.
In this blog we aim to help users to understand the requirements relating to biometric data and GDPR and how they can be managed within the scope of using biometric data capture devices.
What is biometric data capture?
Under GDPR, biometric data is defined as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data”. This encompasses fingerprint and facial recognition.
Advantages of biometrics in workforce management solutions
Biometrics-based systems have grown in popularity with businesses because of their accuracy, speed, and the way they improve security. It eliminates problems such as “buddy-punching” and greatly improves site security as the individual present at the device must be the person enrolled to clock in or gain access. Gone are the days dealing with lost, stolen, or borrowed cards and you can be assured that those on site are authorised to be there – plus, users don’t need to worry about forgetting PINs or passes.
Some facial recognition devices also have the added benefit, in the current climate of biosecurity awareness, of working in a touch-free way.
How is biometric data treated under GDPR?
Biometric data is considered to belong to the most sensitive category of data, known as “special category data”; but this isn’t unique, and employers shouldn’t fear it.
There are many other types of data that employers can collect and are already processing that’s in the same category. They will already have an awareness of how to manage biometric data in accordance with GDPR requirements for special category data.
When managing data under GDPR, there exist general principles that guide the management of personal data, including lawfulness and fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and accountability. There should be a clear purpose for collecting and processing this type of data and consideration must be given to whether it is proportionate or whether there is another, less intrusive path to the same end.
As a guide for employers to determine whether data processing is proportionate, a specific condition for processing special category data must be defined. The following are all reasons that can justify the use of biometric devices, and only one of them needs to apply:
- It must be essential for reasons of public interest
- It must be critical in protecting the vital interests of the data subjects (employees)
- It must be necessary for the purposes of carrying out obligations, and exercising the specific rights of the data controller (employer), or of the data subjects, in the fields of employment, social security and social protection law
- The data subjects have given explicit consent to biometric processing
You can resolve the question of proportionality by completing a Data Protection Impact Assessment during your planning stage. Again, this applies to all the data you control, so many employers will already be aware of how this should be managed. Managing biometric data under GDPR may not be as alien as you first feared.
How do Synel systems address GDPR requirements?
Articles in the press, such as a recent BBC story (Convenience store spy cameras face legal challenge) can raise concerns about the legitimacy of using biometric data. However, it’s important to understand that the ways that systems are utilised, and the uses that the data they collect are put to, make a substantial difference in how they comply with GDPR.
General surveillance systems, for example, can capture and compare individuals’ biometrics against a database and even capture images without their knowledge. None of this happens with data used by solutions such as Synel’s Synergy Time & Attendance or Synergy Access systems.
The biometric devices used in these types of workforce management solutions require a person to be present and actively enrol but a person’s image isn’t captured or stored. Instead, a template is created using a proprietary algorithm. This algorithm can’t use the data to create an image of the person, but when the person presents their finger or face to the machine, it will match the template and identify the person.
These templates are stored on the devices, but the biometric templates are encrypted, and all stored biometric data can be immediately destroyed, in accordance with GDPR, at the end of use – which usually means at the end of employment when the data is no longer required. What’s more, end-to-end HTTPS connections are incorporated for additional security between the device and the platform.
The use of biometric identification has been an accepted technology for a quarter of a century and Synel UK ensures that our products go through a rigorous GDPR compliance procedure.
Establishing and operating GDPR-compliant systems
The use of biometric data for recording attendance or gaining entry to a site is widely recognised as an accepted use of the technology. Synel has supplied and installed tens of thousands biometric terminals for these purposes all over the world because they are a fast and reliable method of authenticating employees.
Our latest Synergy 5 and Synergy 10 Data Capture Terminals which are available with fingerprint, facial, and even dual fingerprint/facial recognition technology have evolved out of Synel UK’s experience in supplying biometric solutions to industry for over 20 years. We have a deep understanding of the biometric solutions market, along with its legal framework.
If you are considering introducing a time and attendance or access control solution to your organisation and would like to discuss using biometric data, contact our team for clear and concise advice about your legal obligations and how to plan for them.
Using biometric data doesn’t have to be complicated in order to be GDPR compliant.
