In October 2018, Trilateral’s newsletter included an article on the use of Biometric Data in the Workplace. In that article, we noted that the French Data Protection Authority (CNIL) was expected to release a standard regulation to set out how such special category data could be used in the work place. After a period of consultation (3-30 September 2018), CNIL adopted these national rules on the 29th March 2019, and they apply to both public and private sector employers. CNIL can issue such rules as, under the revised French Data Protection Act 78-17 of 6 January 1978 (FDPA), it was granted the power to issue “standard regulations to ensure the security of personal data processing systems and to regulate the processing of genetic data, biometric data and health data”.
The approach adopted by France is, so far, much more prescriptive that we have seen in other EU countries where there has been less clarity provided to date. Thus the French example is likely to set a reference standard going forward and will be watched with interest by other jurisdictions.
The rules clearly differentiate between different types of biometric data which may or may not be used to underpin a chosen system. In summary:
- Morphological biometrics such as the use of patterns derived from fingerprints, the shape of a user’s hands, vein patterns, or iris / retinal scans are of a type that may be considered for use.
- Biological biometrics such as the use of blood, saliva or other forms of DNA matching may not.
As regards the system itself, and the manner in which it captures and compares a pattern or template created from the data subject’s biometric data, the template cannot be in a form that can be used to ‘back engineer’ the identity of an individual. The original biometric data used to create the biometric templates must be destroyed as soon as the template has been created with the template itself being deleted once the access it grants is no longer needed. System logs generated by the biometric system should be kept no longer than 6 months but can be archived only where required by law or where necessary (e.g., legal dispute to a maximum period equal to the statute of limitations).
The French rules differentiate three fundamental types of systems based on the level of control the data subject has over their own data:
Type 1: The template is only stored on a medium which remains under the individual’s exclusive possession (e.g., a token or badge issued to the data subject).
Type 2: The template is under the joint control of the data subject and the employer (e.g., the system uses a centralised database which is only accessibly using the data subject’s biometric data).
Type 3: The employer has full control (e.g., a centralised record of templates that can be accessed by the employer without the assistance of the data subject’s token or password).
Types 2 and 3 are normally forbidden except under very rare circumstances. Employers would need to demonstrate exceptional and justified circumstances such as for use in critical environments where the loss of a token or badge would have particularly serious consequences.
Deciding to use biometrics
Even though the rules permit Type 1 systems to be considered for use, the employer must demonstrate under the principle of proportionality that the use of such a system represents the only feasible option to achieve the intended outcome in the given context. Where determined to use biometrics, each employer must comply with the following:
- They are required to register their intended use of Biometric Data with CNIL.
- They must have undertaken a thorough Data Protection Impact Assessment.
- They must justify to the CNIL why they need to use the biometric system chosen rather than another, less intrusive method such as swipe cards.
- They must explain the choice of chosen biometric marker to be used (iris vs. fingerprint for example)
- They must demonstrate “rigorous” security measures to be used to protect the data subjects’ biometric data.
The rules also set out the required security measures, which are extensive, and require these to be audited at least once a year. The security approach needs to adequately address: measures related to the data, those related to the organisation, matters related to the hardware and software, and the measures related to state-of-the-art encryption.
What this means for employers
While biometric systems, at first glance, offer effective and indeed stylish tools for time keeping and access control, they may pose significant risks to the rights and freedoms of employees given the personal data they use and the manner in which they use it. The French rules raise interesting questions even for accessing company laptops or mobile phones. In the UK and Ireland, while not having the same level of prescription, most organisations, such as hotels or general production facilities, would still be unlikely to meet the proportionality test for the use of this special category data, except in the most exceptional circumstances. Where biometrics are being implemented, their use needs to be fully justified by means of a DPIA with the type of system carefully chosen to minimise any data protection risks while giving data subjects as much control as possible over their own data. If you are thinking of using a biometric system, our advisors can help you through the assessment process and the required Data Protection Impact Assessment.
For more information please refer to our service pages or contact our Data Governance team: