Biometrics Data Monitoring and Privacy in the Workplace

-


The Issue: 
        Recently, the use of biometric information in the workplace has become increasingly relevant as employers' means to collect and use such information has greatly expanded. Neurotechnology is now used in the workplace by some employers to track brain data, such as through hats with electrodes that train drivers in China wear, which is then used to see if the drivers are focused or fatigued. This kind of data is used to track wellness and health, which can avoid existing protections against the misuse of health data, but still exposes employees to possible misuse for managerial purposes. For instance, employer may think that they will have to provide less expensive health insurance to healthier employees, which may influence re-hiring decisions. In addition to the lack of adequate legislation regulating this kind of data monitoring in the workplace, another problem is the lack of awareness by employees on just how much information can be gathered through such workplace monitoring, since such biometric data can indicate things like cognitive decline if sufficient data is collected. 

        Biometrics information can be highly valuable to employers. Some uses include their ability to grant authorization that is very difficult to steal or fake and reduces the risk of hacks or breaches through identity theft. This security advantage has become more attractive recently due to the pandemic increasing 'work from anywhere' or 'work from home' employment, for which there is a greater security risk. Using biometrics data can also replace the use of multiple passwords for authorization, which can alleviate the 'password madness' of modern society where people are becoming overwhelmed by the numerous different passwords they are required to use for various accounts. 

        Employee monitoring through biometrics data can also prevent time theft, which is when employers pay employees for time they did not spend working. An example of this is Kronos, a payroll and attendance management platform, which uses fingerprint scanning to monitor when employees 'clock in' to shifts. Moreover, biometric data has huge value by itself: market research by the IMARC group found that the global biometrics market was valued at over $33 billion in 2022 and expected to reach $87 billion by 2028. 


Are there laws or regulations governing the use of biometrics data? 

This depends on the country; while the EU's GDPR and countries that have developed privacy legislation modelled on the GDPR such as Korea and Canada have explicit protections for biometrics data, other countries like the US which lack a national privacy law exhibit gaps in their protections. 

Biometric Data in the EU's GDPR and similar laws in Korea and Canada

        In Europe, the General Data Protection Regulation (GDPR) sets out specific requirements for the collection and use of biometric data, including employee biometric data, and applies to all organizations that process EU residents' data regardless of where that organization is. As a 'special category' of data that has additional protections, employers who seek to process biometrics data must have a lawful basis (such as obtaining consent), have adequate security measures, limit the processing to that which is necessary, and be transparent in the purpose and use of that data. On top of these obligations, employees also have the right to access, correct, delete, and object to the processing of their data. 

        What is more, the GDPR prohibits processing biometric data to uniquely identify people unless the company can prove it was necessary, with case law precedents ruling that using biometric data for attendance and time registration was not necessary or proportionate due to the existence of less intrusive methods such as a check-in system. These cases also ruled that consent from an employee cannot be used as a legal basis because of the imbalance of power in employee-employer relationships. Overall, although exemptions may allow processing of employee biometric data, there are strict conditions to be met and it is generally prohibited to process biometric data, especially for identification purposes. 

        One notable case is when the Hamburg DPA fined the Swedish clothing company H&M 35.2M Euros under the GDPR for unlawfully collecting and storing sensitive personal data of its employees, including details of their religious beliefs and medical conditions, through the use of a biometric time and attendance system. The data was accessible by up to 50 H&M managers, who used it to make employment decisions

        Canada's private sector privacy legislation, PIPEDA, sets out protections for biometric data in very similar ways to the GDPR. The difference is that while the GDPR applies to all EU residents' data no matter which organization processes it, Canada's PIPEDA only applies to private sector organizations conducting commercial activities. Canada also has additional layers of protection through provincial laws such as BC and Alberta's Personal information Protection Act (PIPA). In addition, Canada's privacy regime is largely centered around privacy principles as well as case law precedents, which makes it difficult for companies to determine what use of biometric information is permissible or not in the workplace, especially with new technologies that use biometrics data. 

        Korea similarly considers biometrics data as "sensitive personal information" under the Personal Information Protection Act (PIPA) with additional protections quite similar to the GDPR, involving security measures, limits to processing, and transparency on top of standard privacy rights of the data subject. Generally, companies in Korea are extremely limited in compiling biometrics data, with most research done on biometric data being managed and controlled by government agencies such as the Institutional Review Board (IRB) and not given to private companies without special legal authorization. However, Korea faces a rather unique issue in facial recognition data due to the proliferation of CCTV coverage both in public and private. Combined with rapid development in AI assisted analysis technology, this has created possible controversies such as the government sharing 170 million photographs of passengers travelling through Incheon Airport to private AI developers. 


Biometric Data protection in the US? A patchwork, for now. 

        In the US, there are no federal laws specifically regulating employers' collection and use of employee biometric data. Protections exist in the form of state specific laws, limitations set by the FTC on fair practices and proper security and breach notifications, as well as a reasonable expectation of privacy in general. An example of a state specific law is Illinois's Biometric Information Privacy Act (BIPA), which requires employees who collect the biometric information and biometric identifiers of their Illinois employees to provide notice, obtain consent, and adhere to certain data minimization principles. This law is quite similar to the limitations placed by the GDPR on employee biometric information. 

        Other laws can also play a role, such as the federal Americans with Disabilities Act (ADA) mandating confidentiality of medical records by employers and preventing the use of AI on employee data (which can include biometrics data) for employment-related decisions if that may result in discriminatory outcomes. Related to this is the Fair Credit Reporting Act (FCRA), which regulates the use of consumer reports in the hiring process. Biometric data may be considered a "consumer report" if it is used for background checks or employee screening.

Conclusion: 

        Overall, while employee biometrics data may offer many benefits to both employees and employers, there are also the potential for abuse which can greatly impact employees. The EU's GDPR tends to come down on the stricter side of preventing the use of biometrics data, while the US is far more permissive, though this is largely due to the lack of existing regulation on the use of biometric information. State laws such as those in Illinois and California may indicate similar strong protections on biometric information in the future. A common theme, however, is that transparency and limitation in the use of such biometric data is critical to protect the privacy rights of employees. 


Comments

Post a Comment

Popular posts from this blog

Seeking ChatGPT's Insight: Are the Biden Administration's 'Trump-Proofing' Efforts Legally and Morally Justifiable?

-
Image
  Recently, polls indicate that former President Trump's chances for returning to Presidency have become increasingly likely. Given this, there have been rising attempts over the past year by the Biden administration to "Trump-proof" matters so that if Trump is re-elected, he will be unable to (or at least have difficulty in) reversing or nullifying the current policy and agreements.  I decided to ask ChatGPT on this topic because I was curious on whether these efforts by the Biden administration would be successful in restraining Trump, or even whether such actions were morally and legally viable. My doubts arose because actions taken to completely deny or restrain future Presidents from changing policy or agreements (generally speaking), especially if such measures came from Executive Orders, seem to be against the democratic spirit even if they are meant to protect against possible abuse of presidential power.  My question to ChatGPT: Do you believe that the Biden admi
Read more

ChatGPT's Age-related Slogans for Biden, Trump, and Desantis.

-
Image
          Looking at the upcoming US presidential elections, two of the three (as of now) nominees seem to face questions over whether they are 'too old' to run. At 80 years old, Biden is the oldest president to serve, with Trump similarly advanced in years at 76. Compared to them, DeSantis at 44 years old is far younger. Given this potential point of debate, I asked ChatGPT 4 to theorize how these presidential candidates might defend their positions or attack their opponents on the topic of age, as well as to generate possible political slogans they could use relating to this. Here is the political strategies ChatGPT suggested, as well as some creative slogans it came up with. Keep in mind, the entire following article and slogans were generated by ChatGPT, with no edits by myself aside from the initial prompting and guiding (through more prompts) to arrive at this result.  ChatGPT 4.0:  Title: Age as a Tool: Politicking in the Prime of Life and Beyond           In today's
Read more

Unraveling the WGA’s MBA with ChatGPT: Expert Analysis or Algorithmic Bias Towards Legalese?

-
Image
On Oct 9, the Writers Guild of America (WGA) overwhelmingly voted in favour of ratifying the 2023 Minimum Basic Agreement (MBA), which will apply until May 1, 2026. While most news outlets have reported on this as a major win for the writers guild, I grew curious on whether there were any shortcomings in the agreement since the the entertainment industry’s capitulation seemed to come quite abruptly compared to their former hardline opposition to any concessions. Since I am not a legal expert on contract law, I turned to ChatGPT instead to see if it could provide a fresh perspective. Given that the WGA provided both the complete 2023 MBA as well as a summary, I chose to try inputting both into ChatGPT, focusing particularly on the Artificial Intelligence clauses. However, the results made me ponder whether ChatGPT’s analysis might be influenced by bias or randomness. ChatGPT’s analysis of the summary and the complete 2023 MBA: Upon analyzing the summary, ChatGPT initially gave off a ske
Read more