ARTICLE
29 October 2015

Collection Of Fingerprint Data From Employee For Security Purposes Deemed Unnecessary And Excessive

JD
Jones Day

Contributor

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
Queenix had few employees, and there was no evidence that the use of fingerprint recognition helped to improve security.
Hong Kong Employment and HR

In an investigation report dated July 21, 2015, the Office of the Privacy Commissioner for Personal Data ("PCPD") upheld a complaint by a former employee of Queenix (Asia) Limited ("Queenix") that the collection of her fingerprint data for the purposes of accessing Queenix's offices and monitoring employee attendance was unnecessary and excessive and that the manner of collection unfair.  

The key findings of the PCPD were that: 

  • Fingerprint data amounts to highly sensitive personal data, given that it is not only capable of identifying an individual but is also unique to that individual. As such, collection, retention, and use of fingerprint data should be managed with extreme caution, and it should be used only if less intrusive means are unavailable.
  • The use of fingerprint data by Queenix was excessive in the circumstances, taking into account the following questions:
    • Was collection of the data a necessary and effective means to meet the purposes of safeguarding office attendance and monitoring security?
    • Was the adverse impact on data privacy proportionate to the benefits arising from the collection of fingerprint data?
    • Was there any less intrusive way to achieve the same purpose?

Queenix had few employees, and there was no evidence that the use of fingerprint recognition helped to improve security. In the view of the PCPD, the same purpose could have been achieved by use of a smart access card that did not contain personal data and the implementation of other security measures, such as the use of additional locks after hours. The employee's consent to the collection of her fingerprint data was not genuine and fair, because Queenix made collection compulsory for employee access and did not provide other alternatives.

In light of the Queenix case, Hong Kong employers who use fingerprint data for security access or similar purposes should carefully review their policies and procedures. In particular, employers should consider whether the use of fingerprint data is genuinely required for the purpose for which it is collected, and whether alternative measures can be used and offered to employees

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More