Employers are always looking for the most effective way to maintain integrity in time keeping of employee hours for work performed. Several companies now offer time and attendance solutions that incorporate the use of fingerprint identification technology and purport to eliminate a term called “buddy punching” for hourly employees.
In addition to time and attendance devices, companies are increasingly considering fingerprint identification technology as part of their physical security program to replace badges, access cards, or access codes when entering into sensitive areas, or to replace (or supplement) passwords when logging into workstations. The increasing use of fingerprint identification raises data privacy and data security questions for many employers.
There is currently no federal statute that expressly regulates private-sector use of fingerprint recognition software. Nonetheless, the Federal Trade Commission (FTC), which has authority to prevent unfair and deceptive practices, may proceed against companies that misrepresent the function of the technology; the FTC can also proceed against a company that misrepresents their data privacy and security practices including how they use, secure, or disclose captured fingerprints or fingerprint geometry.
It is important to have a clear and specific data security policy in place, integrity controls with proper monitoring of the data saved on servers, and appropriate auditing (generally better to use an outside third party source) to ensure private information (outside of what is necessary for using the identification technology) is not being obtained, stored, and or at risk for misuse.
It is important to note, at least two states have enacted statutes that govern the data privacy and security implications of the technology. Those statutes generally require that if an organization “captures” a fingerprint, it must provide the consumer with notice and obtain their consent. In addition, if an organization stores or “possesses” a fingerprint, then it must limit its disclosure to third parties, enact measures to secure the fingerprint from unauthorized access, and limit its retention of the fingerprint after it is no longer needed. A number of additional states require that if a company collects fingerprints, it take steps to prevent the fingerprint from being acquired when in the process of being destroyed.
You should consider the following when deciding whether to implement fingerprint identification-based timekeepers, physical access controls, or hardware access controls:
- Data Inventory. If your organization keeps a data inventory or a data map, you should include fingerprints and/or fingerprint geometry in that inventory.
- Security. Assess the risk that fingerprints and/or fingerprint geometry may be compromised and consider what steps can be reasonably taken to attempt to keep the information secure. Among other things, you should consider how the device that captures fingerprints stores and transmits that data.
- Retention and Disposal. Review your retention and disposal practices to see if they specify how long such information should be kept, and how it should be disposed.
- Notice. Consider providing clear notice to consumers or employees before capturing their fingerprints.
- Consent. Consider obtaining opt-in consent before capturing or using fingerprints.
- Sharing. Consider obtaining opt-in consent before sharing fingerprints or fingerprint geometry with any third parties.