Is your company ready to open, remain open, or expand access to more employees, vendors, visitors, and customers? If the plan is set, the policies have been drafted and the protocols developed, and a socially-distanced, health-conscious temperature check solution nearly decided on, then it can come down to one last, critical decision – embed facial recognition into the solution or not?
On the one hand, there is the convenience of performing an employee wellness check and the ability to clock-in simultaneously, linking to HR and timekeeping systems, a useful mechanism to lower the risk of attendance fraud. While on the other hand, there are a host of other risks – legal, privacy, and security – and obligations that facial recognition brings and that a company may not be fully aware of or prepared for.
Perhaps the policies haven’t adequately been drafted or the protocols fully developed, after all.
Before integrating any type of biometrics into your COVID-19 wellness checks – such as facial recognition for tracking timekeeping, attendance, or security-access into COVID-19 screening, companies must evaluate the following 3 major risks.
First, the use of biometrics is fraught with legal complexities from the host of existing and emerging state, national and international laws governing how biometrics (e.g., DNA, fingerprints, face, hand, retina, or ear features, etc.) are recorded, stored and used.
In the U.S., at the national level, the National Biometric Information Privacy Act of 2020 was introduced by Senators Merkley and Sanders in August 2020; Illinois, Texas, and Washington have biometric laws in place; the California Consumer Privacy Act (CCPA) and California Labor Code regulate biometric data; and 10 additional states have proposed biometric privacy legislation, that while not yet passed, is garnering attention in the current climate.
Unsurprisingly, these laws are all slightly different – and violations can range from misdemeanors to tens-of-thousands of dollars in fines – so companies operating in multiple states must continually monitor the regulatory landscape and harmonize their approach at the local level to ensure compliance.
Adding another layer of complexity to U.S.-operations, companies with union employees must understand whether a proposed policy or changed procedure related to timeclocks may trigger bargaining obligations or require other communication with a representative union.
With the range of variables across state (and proposed national) laws, strong consideration should be given to whether the overall effort of program development is worth the potential benefit.
For example, under the Illinois Biometric Privacy Information Act of 2008 (BIPA), a private entity cannot collect or store biometric data without providing notice to employees, obtaining written consent, and making specific disclosures. A written policy must be maintained and established regarding a retention schedule that includes guidelines for permanently destroying biometric data. Whereas in Texas, notice and consent are required before collection – unlike the BIPA, consent doesn’t need to be in writing – along with stipulations for how the information must be stored and protected, mandating it must be destroyed within one year of being collected. And, California Labor Code Section 1051 prohibits California employers from obtaining fingerprints or photographs from employees and then sharing this information with a third party – which means companies must carefully review contracts and technical processes to determine if the vendor providing the technology has any kind of access to the employee biometric information.
At the same time, companies with operations outside the United States must also adhere to regulations in foreign jurisdictions such as the GDPR, which, in addition to local employment laws, regulate aspects of biometric and COVID-19 data collection and use by in-scope companies.
The second major risk – the broader implications to the company’s privacy program when deciding to collect and use biometric data in conjunction with COVID-19 screening operations.
Privacy programs are being asked to cope with the additional – and often new – documentation and training required to effectively manage and protect data collected during COVID-19 wellness screening, and adding another type of sensitive personal information the company is not accustomed to processing only increases risk and may put unnecessary strain on already tapped resources.
As noted above, by adding biometric data collection to the mix, there will need to be new policies and notices drafted; consent tracked and managed just to ensure the proper regulations and policies are complied with. This includes developing new training to ensure that employees understand what personal and biometric data is being collected and security controls enacted. Greater scrutiny of processes and vendors will need to happen through more comprehensive Privacy Impact Assessments and Vendor Risk Assessments that address new biometric risks. The company will need to draft more restrictive contracts and Data Processing Addendum to protect the data and ensure regulatory compliance. In addition, under the CCPA and GDPR, additional processes will need to be built to respond to Individual Rights Requests.
Teams will also need to ensure the company’s compliance with strict ADA regulations regarding the confidentiality of the identity of an employee who has tested positive for COVID-19 and that requiring confidential medical records to be stored separately from the employee’s personnel file.
The third major risk is how the company will ensure the security of biometric data. In addition to privacy regulations like the CCPA and GDPR that consider breach a violation, every state in the U.S. has enacted a Data Breach Notification Statute, and 19 states include biometric data into the definition of “Personal Information,” requiring notification to affected individuals in the event of a data breach: Arizona, California, Colorado, Delaware, Florida, Illinois, Iowa, Louisiana, Maryland, Missouri, Nebraska, New Mexico, North Dakota, North Carolina, Oregon, South Dakota, Texas, Wisconsin, and Wyoming.
Biometric data processing presents an extreme risk to the individual because it is no longer a secure identifying feature once compromised. Unlike other personal information used for identification – a social security number, ID card, or password – which can be changed if compromised, people cannot change their biometrics. If biometric data is collected, the Information Security team must take significant steps to ensure the data is protected and securely destroyed. Access to this type of data should be limited to a need-to-know basis.
As with the privacy risk, for companies that do not regularly collect this type of sensitive data or that do not have mature security programs with robust controls in place, this presents an increased and unnecessary risk – the cost to protect this type of data, and the legal, financial, and reputational risk of not doing so, may far outweigh any benefits or efficiencies gained by processing it.
A best practice and less risky approach – look into alternative measures that do not require biometric data processing but that attain the same purpose in a less intrusive manner. Kiosk temperature checks and questionnaire screeners can log pass-fails and link to security systems without the need for facial recognition or other biometric data processing. A comprehensive solution must protect users’ health data along with the ability to comply with the EEOC and ADA requirements in the workplace.