Privacy Issues of Fingerprints Scanning

More affordable and efficient fingerprinting hardware and applications are conducive to the wide adoption of fingerprint scanners for attendance record management and access control.

Recent complaint cases processed by my office (PCPD) serve to illustrate how organisations can adopt good practices to respect and protect consumers’ personal data when using fingerprint scanners.

The Personal Data (Privacy) Ordinance (the “Ordinance”) is technology neutral. Data Protection Principle 1 in Schedule 1 to the Ordinance provides that the collection of personal data must be “necessary for or directly related to” the stated purpose of collection, and “not excessive” in relation to that purpose. It must also be collected by means “which are fair in the circumstances”.

When using fingerprint scanners, organisations should consider offering less privacy-intrusive options, or adopt technical measures that minimise data collection.

Less Privacy-Intrusive Alternatives

In a recent case handled by the PCPD, a client paying a site-visit to a cloud storage data centre was required by the data centre to submit his fingerprint for registration as a condition of entry.

According to the Personal Information Collection Statement provided by the data centre, the purpose of the fingerprint registration was to strengthen the physical security of the premises, and also to allow registered visitors to walk unescorted and to conveniently gain entry by fingerprint-scan verification. The fingerprint data would be erased upon the client’s departure from the data centre.

Upon the recommendations of the PCPD, the data centre agreed to provide a less privacy-intrusive option to visitors who do not wish to submit their fingerprints, such as using security staff to escort the visitor to designated locations on the premises.

Alternative Technical Measures

In another case, an employer collected its employee’s fingerprint data through a fingerprint scanner on her first day of work. The system was installed for staff attendance and security purposes because the business involved the sale and display of high-value fashion merchandise.

After conducting an investigation prompted by a complaint, the PCPD concluded that the collection of fingerprint data was unnecessary and excessive in the circumstances because the employer could record staff attendance and control access to the premises by the use of smartcards and passwords.

Another alternative was to control entry by the combined use of a smartcard and fingerprint-scan device. The employee’s fingerprint data would be stored in a company-issued smartcard, carried by the employee himself – no fingerprint data would be stored by the organisation. When entry is required, the person would present the smartcard to the device and provide his fingerprint-scan at the same time. The device would match the data stored on the smartcard with the fingerprint-scan in order to verify the person’s identity. In this process, the system would not retain the person’s fingerprint data after performing the verification.

Fairness in Data Collection

The case last mentioned above also highlighted the issue of fairness of data collection. The PCPD found that in situations where a disparity of bargaining power exists, such as in an employer-employee relationship, the consent to provide fingerprint data could not be considered to have been freely given if the employees were not provided with a realistic choice to opt for other alternatives.

Recommendations

The PCPD would remind organisations that when they are contemplating to undertake any data processing activity involving sensitive biometric data like fingerprints, they should assess the need for collection of such data, and provide an alternative procedure so that individuals can realistically exercise a free choice as to whether to provide such data.

If it is indeed necessary for fingerprint data to be processed, organisations should consider technical measures (such as the use of smartcards mentioned above) that would minimise the retention and enhance the security of this data.

For more detailed guidance on fingerprint or biometric data in general, please see:

Guidance on Collection and Use of Biometric Data’ published by the Privacy Commissioner for Personal Data.

Jurisdictions: 

Barrister, Privacy Commissioner for Personal Data, Hong Kong