Ioannis Iglezakis
Assistant Professor AUTH
Lawyer
Biometric technology finds different applications in the workplace for the control of employees’ access to business and in specific areas or systems, as in high security facilities, etc. Biometric technology makes it possible to provide secure verification and identification of a person, using data on the physiology or behavior of a person. With these features biometric systems are suitable for use in workplaces where there are special security requirements.
In particular, the use of biometric technology in the workplace has many advantages, since it accurately verifies the identity of the person and more particularly, because biometrics refer to human characteristics that remain unchanged, such as fingerprint, iris, the image of person, etc. On the contrary, traditional mechanisms for the verification and identification of a person based on use of a durable medium such as the identity card with a microchip or otherwise, to remember a password or a code number, have the disadvantage that they can be lost, stolen or forgotten by their owner.
These advantages make it clear that a widespread use of biometrics to verify or identify the identity of persons is to be anticipated, as demonstrated by the establishing of biometric passports of EU Member States.
However, the use of this technology has important implications for privacy. Especially in the workplace there is increased need for protection of personal data of employees because of the dependency relationship in which workers are vis-a-vis the employer and the information needs that characterize the employment relationship, given also that employees spend a significant part of their daily time workplace.
The privacy issues arising in connection with the importation and use of biometric systems in the workplace are governed by general provisions on the protection of personal data (in Greece, Law 2472/1997), and there are no specific provisions on data protection for workers.
The processing of biometric data will be lawful if it satisfies the relevant provisions of Article 5 of Law 2472/1997 and in particular, if the data subject has given his consent (Article 5 § 1) or processing is necessary for the purposes of a contract in which a party is a data subject (Article 5 § 2 c. a) or the processing is absolutely necessary to satisfy the legitimate interests pursued by the controller and provided that it clearly supersedes the rights and interests of data subjects and data are not affected by these fundamental freedoms (Article 5 § 2).
The first of these requirements would be valid if consent is free, express and specific declaration of intent. In the context of the employment relationship it is questionable whether the consent is free or it is the result of pressure by the employer; therefore the particular conditions must be strictly controlled to fulfill this requirement. Further, the introduction of biometrics may be necessary for the performance of the contract, namely to control employees’ access to workplaces and so on. Finally, the processing of biometric data may be necessary to ensure a high level of security to sensitive installations and so on.
Furthermore, the processing of biometric data should be consistent with the principles of necessity and proportionality (Article 4 § 1 a and b 2472/1997). Accordingly, the processing must be necessary and appropriate to achieve the desired objective. The principle of proportionality is checked by weighing the circumstances and in particular whether the intended purpose can be achieved by less burdensome for the data subject manner. Further, in accordance with the principle purpose, subsequent treatment would not be lawful if it is inconsistent with the purpose for which the data was collected. Thus, for example, it would not be permissible to use biometric data collected for controlling access to certain areas to assess the behavior of workers.
Particularly it should be noted that before the introduction of a biometric system a privacy impact assessment must be carried out, which must substantiate the specific need for biometrics to achieve that verification or identification is absolutely necessary and the reasons why this can not be achieved by existing security systems.
Control of processing based on these principles can take place based on different assessments. Initially it should be checked whether the objective pursued by the current method of processing biometric data obtained with moderate means, without the processing of biometric data.
In one of the first decisions issued on the Greek Data Protection Authority (hereinforth: Authority), No. 245/9/2000, was asked to rule out on the legality of a control system for entry and exit of workers in the workplace in the method of verification of fingerprints. In this case, it became clear that the recognition of the data subject by the method of fingerprinting is a strong intervention in the privacy right, since traditionally fingerprinting is used for the identification of the person in crime investigation and the generalization of this method for other purposes must not be permitted, unless in specific cases there are particular needs. The Authority held in this case that the processing of biometric data goes beyond the limits imposed by the principle of proportionality in as much as the objective pursued can be achieved by milder means to control the presence of workers at work.
Further, in a recent decision, the No. 74/2009, the Authority also considered as unlawful processing of biometrics for the reason of access control to authorized users to company sites and systems. In this case, the IT facilities of the company were in a room with an open-ended space, where anyone, after passing the main entrance, could gain access to company’s activities related to critical data processing and software development secrets. The Authority held that control of entry into the space can be achieved by less restrictive means, such as access cards without biometrics, and that special security measures should be taken only for access to specific sites and software applications (server room, store documents, electromechanical installations, etc.).
However, the argumentation of the Authority in this case is unambiguous, since it does not examine the conditions of processing of biometric data and does not stress the legitimate interests of the controller, but it takes into account whether it is feasible to use non-biometric methods for objective verification and identification of workers’ identity. There are legitimate questions left open, such as, for example, why the underlying processing of biometric data is burdensome for workers privacy, in the case involving entry into the field of computer facilities and not when access control refers only to specific company sites.
In other cases, the Authority considered as lawful the processing of biometric data related to access control in security installations. Specifically, in the No 39/2004 decision the Authority has given a positive opinion concerning the processing of data to ensure employees’ access to the AIA Center for critical business purposes, and in particular, concerning the collection and processing of the iris of the eye and workers only, who enter and offer their services at the Airport Business Center. Similar was also the decision No. 9 / 2003 which is data processing facilities in high security Athens Metro.
The judgement whether processing of biometric data complies with the principle of proportionality and the balancing of the interests of the controller and data subject ought to be carried out taking into account the specific purposes of controlling access. As indicated by the Article 29 Working Party, biometric systems create less risk to privacy, which are related to biological characteristics leaving no traces (eg shape of a hand and not fingerprints) or those leaving traces, but not involving the storing of data held by another person than the subject, ie when the data is stored in access device or a central database. Also it is noted that when biometric data contain more information than necessary for identification or verification of identity, such as the raw data, they should be deleted.
The above mentioned considerations have found application in No. 9/2003 decision of the Authority concerning access control in high-risk premises of Athens Metro Company. In that decision the Authority took into account that the proposed biometric system is related to characteristics which leave no traces, and in particular, which concern the geometry of the hand, rather than fingerprints (which leave traces). The specific system consisted of devices that are autonomous and there was no link to the central database and also, other personal information was not stored, such as the name of the user.
In conclusion, it should be noted that the legality of processing of biometric data under Greek Law should be examined in accordance with the provisions of Law 2472/1997 and in particular, with the principle of legality and the principles of necessity and proportionality. In our view, a case-by-case approach should be carried out, in which all the circumstances of processing are taking into account. The legality of the processing should not be examined based on vague principls, as it does in some cases the Authority, which held for example that biometric data may be processed only in special cases for access control to premises or facilities secrets file (No 245/9/20.3.2000 decision).
REFERENCES
I. Inglezakis, sensitive personal data (b reprint.) 2004, especially p. 210.
C. Lazarakos, Biometrics: Protection of personal data through the processing of sensitive (personal) information, PoinDik 2001, p. 1165 ff
Gerrit Hornung, Roland Steidle, Biometrie am Arbeitsplatz – sichere Kontrollverfahren versus ausuferndes Kontrollpotential, AuR • 6 / 2005 201, online available at:
http://www.uni-kassel.de/fb7/oeff_recht/publikationen/pubOrdner/aur_2005_06_201-207_hornung_steidle_biometrie.pdf
Astrid Albrecht, Biometrie am Arbeitsplatz – Konkrete Ausgestaltung der Mitbestimmung – Orientierungshilfe des TeleTrusT eV fur eine Betriebsvereinbarung beim Einsatz biometrischer Systeme, JurPC Web-Dok. 55/2007, Abs. 1 to 51, online available at:
http://www.jurpc.de/aufsatz/20070055.htm
Der Landesbeauftragte fur den Datenschutz Niedersachsen, Biometrie und Datenschutz, online available at: http://www.lfd.niedersachsen.de/master/C27956_N13146_L20_D0_I560.html
A. Albrecht, Biometrische Verfahren im Spannungsfeld von Authentizitat im elektronischen Rechtsverkehr und Personlichkeitsschutz, 2003.
H. Baumler, Biometrie datenschutzgerecht gestalten – Die Bedeutung von Technikgestaltung für den Datenschutz, DuD 1999, p. 128 et seq
M. Bobrowski, Biometrie und Verbraucherschutz, DuD 1999, p. 159 et seq
V. Nolde / L. Leger (Hrsg.), Biometrische Verfahren – Korpermerkmale als Passwort, DWD Köln 2002.
Th. Weichert, Biometrie-Freund oder Feind des Datenschutzes, CR 1997, p. 369 et seq
G. Hornung, The European Regulation on Biometric Passports: Legislative Procedures, Political Interactions, Legal Framework and Technical Safeguards “, SCRIPTed 2007, p. 246 et seq
G. Hornung, “Biometrische Systeme – Rechtfragen eines Identifikationsmittels der Zukunft”, Kritische Justiz 2004, p. 346 et seq
J. D. Woodward, Jr / N. M. Orlans / P. T. Higgins, Biometrics. Identity Assurance in the Information Age, 2003.
Ann Cavoukian, Alex Stoianov, Biometric Encryption: A Positive-Sum Technology that Achieves Strong Authentication, Security AND Privacy, 2007, online available at:
http://www.ipc.on.ca/images/Resources/bio-encryp.pdf