Globally speaking, labour law strives to protect the privacy and personal information of employees. Employers must often register with a jurisdiction’s data protection authority before processing even the most basic personal information regarding their workforce.
Tighter controls are placed on more sensitive personal data. At its extreme, arguably the most sensitive is biometric data. That is, uniquely identifying biological information such as fingerprints, iris scans and DNA.
While a request for such information in the course of usual business would undoubtedly be considered overzealous, the employer may be able to obtain it if a genuine business need arises. For instance, the employee may need to attend a high-security workplace which requires iris-recognition for entry. They may work in a forensic laboratory where a DNA sample is required, to rule out cross-contamination.
Genuine and Explicit Consent
The issue is generally one of obtaining the employee’s consent. However, this consent has to be both explicit and genuine, and jurisdictions have different procedures in place to make sure that this is the case.
Most European jurisdictions prohibit consent being obtained as a condition of hire. The EU Commission has ruled that if obtained in this way, it will be inadmissible due to the unequal bargaining positions of the employee and employer during the hiring process.
Of course, there’s always an exception. A French employer needs no consent from the employee to require biometric data as long as the due procedure has been followed.
Strict Controls on Data Processing
Employers do not have free reign in regards to biometric data once the employee’s consent has been obtained, and there are a variety of protocols in place to prevent its misuse depending on jurisdiction.
Examples of some of the rules which can apply are:
- in Germany, employers must only collect data which is absolutely necessary for the task at hand, regardless of how wide the scope of the employee’s given consent;
- in the Netherlands, the storage of DNA data requires implementation of the highest security standards in the industry in order to prevent theft and other forms of data abuse; and
- in the UK, the data can only be held for a ‘reasonable time’. This can range from the duration of the employment contract to the length of a project with a relevant client, depending on the circumstances.
The above list far from exhaustive, and a combination of these principles are applied in each jurisdiction.
In both the above iris-recognition and lab technician examples, transfer of the biometric data to a third party (such as a client) may be necessary. Before doing so, the employer must check whether the transferee has adequate measures in place to protect the employee’s data. Sometimes these privacy security measures need to be even more stringent than if the employer was the sole user.
The employer must be aware of data transfer protocols (particularly regarding transfers out of the EU) which can apply even if they are making intra-company or group transfers. For example, if an office within the European Economic Area is sending biometric data relating to one of their employee’s to the company’s head office or the office of a client outside the EEA, they must also ascertain whether the laws of the receiving country give adequate levels of protection to the employees data. If not, the data cannot be transferred. Countries may have arrangements such as the EU-US Safe Harbour Scheme in order to streamline this process.