The Alberta OIPC has recently released two reports on the use of biometrics for timekeeping purposes. In both, the OIPC upheld the use of biometrics after conducting a contextual analysis that de-emphasized the invasiveness of standard biometric timekeeping systems.
Encrypted form in which information stored weighs in favour of use
The first report, dated August 7th, was made in response to a complaint brought under Alberta’s public sector privacy legislation. The complainant objected to a biometric timekeeping system which relied on a numeric template produced from hand measurements. The rationale for the system – time fraud protection and administrative efficiency – was not particularly unique, though the institution did provide evidence that it had dismissed one employee for buddy punching in the past. The adjudicator nonetheless held that the institution met the FIPPA necessity requirement, in part because the information was stored in a form in which it was not likely to be misused.
The complainant was under the impression that the hand scanner would “take [her] hand print.” If the hand recognition system gathered biometric information that was useful in another context, this would represent a potential privacy risk. For example, if the hand scanner captured an image of the employees’ palms or fingerprints, this information could be used in a law enforcement context. Having employees participate in a mandatory system that increases risk to their privacy would certainly be intrusive. However, the system does not gather a palm print or finger print; it collects hand measurements, which it translates into a unique number (the template). The template is useful only when combined with the employee’s identification number and the payroll system at Intercare. It seems unlikely that the template could be put to any other use, mitigating the privacy risk and making it less intrusive.
While this is a helpful finding for employers, the adjudicator did state, “This finding does not represent ‘privacy carte blanche’ for public bodies to implement biometric systems.”
Use of biometrics okay, but notice especially important for employers
The OIPC reached the same conclusion on the question of use in the second decision, dated August 27th and made in response to a complaint filed under the Alberta PIPA. This case involved the use of a numeric template produced from employee thumbprints. The employer’s rationale for use was fairly general, but in finding the employer met the reasonable collection standard in PIPA the OIPC drew an express link between the employer’s rationale for use and the form in which the biometric information was stored. It said:
While Empire Ballroom previously used another method (the time card/punch clock) it was ineffective due to abuse. Having the manager sign each employee in and sign out was inefficient, and the biometric sign-in system is a paperless system that yields more accurate arrival and departure information that is far more difficult to dispute. The system is also more secure in that employees are unable to access each other’s personal information. In terms of this finding, it is significant that Empire Ballroom does not collect actual thumbprints. Were that the case, my findings might be different.
… an important distinction must be made between collection of actual biometric information used for “one-to-one identification” of a person, and collection of numeric representations of biometric attributes for “one-to-one authentication” of an individual. In the latter case, a finger, hand, voice, or facial imprint is not actually captured; instead numbers representing unique features of a biometric, from which the biometric cannot be reconstructed or reproduced, are collected.
Although endorsing the employer’s use biometrics for timekeeping purposes, the OIPC held that the employer did not meet the reasonable notification requirement embedded in the Alberta PIPA employee personal information provisions because it did not explain to employees that it would only collect a numerical representation of thumbprints and not thumbprints themselves. It stressed that identifying personal information to be collected with specificity is important, particularly when information is to be collected through new and misunderstood technologies and particularly for employers, who are relieved from the ordinary consent requirement under PIPA.