ARTICLE
9 September 2025

Biometrics: Guidance For Canadian Employers

GW
George Waggott Law

Contributor

George Waggott Law logo

George Waggott is a Canadian employment and labour relations lawyer who is based in Toronto. George has practised exclusively in the areas of labour relations, employment law, and executive compensation since 1996, and he acts for employers on all workplace issues. In addition to his ongoing advice to companies, he frequently appears before the courts, mediators, labour relations boards, grievance arbitrators and employment tribunals. He also regularly acts as a management spokesperson in collective bargaining.

Explore Firm Details
Human physical characteristics are increasingly being used in biometric technologies which authenticate and identify individuals, including in the workplace.
Canada Employment and HR
George Waggott

Human physical characteristics are increasingly being used in biometric technologies which authenticate and identify individuals, including in the workplace. The use of biometrics gives rise to numerous legal issues, many of which are clarified in some recent guidance issued by Canada's Office of the Privacy Commissioner (OPC).

On August 11, 2025, the OPC published an updated guidance on processing biometrics, which was developed for both the public and private sectors. This guidance sets out principles for the use of biometric technologies, such as facial recognition, fingerprint scanning and voice identification. The published guidance reflects a number of emerging concerns, particularly with respect to security issues and privacy concerns. In particular, biometric tools can enable surveillance and may expose people to an increased risk of fraud and identity theft.

The OPC's guidance sets out a number of key principles which are intended to help organizations manage relevant legal issues. The following is a summary of the relevant principles outlined in the guidance document:

1. Proceed Only With Lawful Authority / Appropriate Purposes

  • Prior to implementing biometric technologies, organizations must ensure that they have the lawful authority to collect, use and disclose biometric information.
  • For public sector organizations, this review needs to be undertaken by reference to applicable legislation.
  • For private sector organization, the review needs to review applicable legislation and by reference to principles applicable under the Canadian Personal Information and Protection of Documents Act (PIPEDA).
  • Even assuming there is lawful authority, which is likely to usually be the case, the organization needs to focus on appropriate use of biometrics. This means that organizations will need to have a legitimate reason for using biometrics. Further, any proposed use of biometric technologies should be effective, minimally intrusive, and proportionate to its purpose.
  • One specific caution in the OPC guidance is about so-call "no-go zones" involving unreasonable data collection, including mass surveillance, practices likely to cause significant harm, or those which involve breaches of human rights legislation.

2. Consent

  • Persons who interact with biometric technologies must provide consent.
  • The required consent must be valid, informed and meaningful. This approach tracks the principles which apply more generally to collection and use of personal information.
  • In the case of biometric technologies, individuals must be advised what biometric information will be collective, why that information is needed, who it may be shared with, and any related risks of harm which arise.
  • In cases where biometric solutions are not integral to the service, an alternative must be offered. An example which many might be familiar with is the option to opt out of facial ID to unlock a device, and instead authenticate user ID via a password.

3. Assessment of Privacy Impacts (Based on Necessity and Proportionality)

  • Canadian organizations must, before proceeding to use biometrics, conduct a privacy impact assessment.
  • The requirement is to establish, in advance, that the use of biometric technology is justified.
  • The focus will be on proving that the biometric program is necessary to address a specific, legitimate and defensible objective.
  • The technology used must be reviewed, with a determination that the solution involves an effective and reliable means to achieve the relevant purpose.
  • As with the collection of personal information more generally, the organization must use minimally intrusive means, with no less invasive alternatives being available.
  • The concept of proportionality applies, meaning that any resulting privacy impacts (loss of privacy) is proportionate to the benefits gained by using biometrics.

4. Control (Limiting Collection, Use and Retention)

  • The organization should only collect and use the specific biometric data which is necessary to achieve the relevant purpose.
  • This means that verification (one-to-one) systems are favoured over identification (one-to-many) models.
  • Where possible, large centralized biometric databases should be avoided.
  • The technology and its use should limit disclosure of relevant information.
  • Biometric information should only be retained as long as necessary, after which it should be securely destroyed.

5. Implement Safeguards

  • Organizations must adopt protective measures which are intended to ensure that personal information is shielded from loss, theft or unauthorized access.
  • Biometric information must be secured with technical, physical and administrative measures which are proportionate to its sensitivity.
  • Best practices include controlling access; encrypting relevant information during storage and transmission; and engaging in regular testing and threat assessments.

6. Accuracy (Elimination of Errors)

  • No data collection system or technology is perfect, and biometric technologies can generate errors.
  • A flawed biometric reading can result in a denial of service or misidentification of a use.
  • Best practices include selecting technologies with high accuracy rates; testing systems in real world conditions; and monitoring accuracy on an ongoing basis.
  • Incorporating human review and oversight is an essential component required to address relevant issues.

7. Accountability

  • Canadian organization remain responsible for any biometric information which is in their possession or control.
  • The responsibility does not disappear simply by virtue of using a third-party provider who provides or manages relevant technology.
  • The OPC has emphasized (and applicable law confirms) that accountability cannot be outsourced.
  • The obligations for organizations will include regular review of practices; employee training and oversight; and audits of technology use.

8. Openness and Transparency

  • Adopting a set of open and transparent practices regarding biometric technologies is essential to building trust and ensuring accountability.
  • Organizations must provide clear notice to individuals whose biometric data is being used and collected.
  • A key focus will be on explaining the purpose, authority and risks associated with the technology.
  • If decisions will be made based on biometric information, users should have clear notice and related information about how the system works.

Summary for Organizations

The use of biometric technologies will likely continue to increase. The OPC's recent guidance on the topic, which though not legally binding provides a valuable framework for Canadian organizations as they adopt best practices to assess relevant legal risks and rollout biometric solutions. This is particularly important given the fact that biometric information is among the most sensitive personal data which, if compromised, can be easily used for improper purposes. Canadian organizations must recognize these risks, and adopt an approach which focuses on use cases which are narrow in scope, aligned with legal authority, and subject to ongoing and continuous oversight.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of George Waggott
George Waggott
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More