The Italian Data Protection Authority (Garante per la protezione dei dati personali) recently received a request to grant prior authorisation, according to article 17 of Legislative Decree n. 196/2003 (“Privacy Code”), to the processing of biometric personal data for the purpose of controlling the presence of employees in the workplace in order to evaluate ordinary and overtime pay. Such processing was also said to be justified by the need to prevent certain types of unlawful conduct by some employees, mainly consisting in the exchange of badges, as well as by the loss of magnetic cards that are currently in use. After having examined the compliance of this system with the Privacy Code, the Authority declared such processing unlawful and prohibited it where it is for the purposes and in the manner described below.
Operation of the system for processing biometric personal data
Before analysing the grounds for the decision, it is necessary to understand how this processing works. Operation of this system would require a preliminary collection of biometric data (the ‘enrolment phase’), whereby the company would turn the image of part of the employee’s fingerprint into a digital code using electronic devices equipped with both fingerprint readers and software; the code would then be assigned to each employee after being stored in the company’s information system, without being encrypted or protected in any way. The digital codes would be used to compare against the digital codes obtained after reading the employees’ fingerprints whenever they leave and/or enter their workplace. Those digital codes would be obtained by readers located in several places within the company and the information would then be stored centrally, on the company’s IT system.
The grounds for the Authority’s decision
The Authority decided that, besides the uncertainty concerning the degree of reliability, such a system does not comply with the Privacy Code or with European legislation.
In particular, the Authority’s decision was based on the following grounds:
Biometric data and personal data protection principles
The lawfulness of this system is to be assessed by having regard to features such as compliance with, for example, data adequacy, proportionality, legitimate and specific purposes, fairness principles, and data accuracy requirements (see articles 3 and 11 of the Privacy code, and article 6 of EC Directive 95/46).
In particular, it has been highlighted that employers are lawfully empowered to supervise performance at work (pursuant to article 2094 of the Italian Civil Code) by verifying employees’ performance levels and compliance with working hours in order to compute their wages (e.g. by means of personal badges); but it was not shown that the processing of the biometric data in question conforms to data minimisation and proportionality principles, with particular regard to the use of fingerprints.
In addition, using data at work may be justified in specific cases depending on the purposes and context of that processing - e.g. in connection with accessing certain premises of a company that require particularly stringent security measures. Alternatively, such processing may be justified in order to ensure the security of personal data (see annex B of the Privacy code).
The blanket use of such data is not considered lawful; as regards fingerprints, their misuse and inappropriate use must also be prevented.
The use of biometric data and respect for personal freedom and personal dignity
To verify compliance with working hours and simultaneously prevent unauthorised conduct by employees, the employer can use other, less intrusive, systems that do not violate personal freedom and do not involve an employee’s body - which are both constituents of personal dignity, safeguarded by personal data protection provisions (article 2 of the Privacy code).
Community law dictates that the processing of data entailing specific risks to data subjects’ rights and fundamental freedoms (such as the one in question), is only to be allowed following prior authorisation. Prior authorisation should establish that the processing is lawful and fair, as well as laying down measures and instructions to safeguard data subjects’ rights (see article 20 of EC Directive 95/46, and article 17 of the Privacy Code). Accordingly, it was concluded that the requirements envisaged by law would not be met in this case.
Problems arising from the technical arrangements of such a system
This processing is also to be regarded as disproportionate in light of the envisaged technical arrangements; less invasive technological approaches can undoubtedly be implemented. Pursuant to article 3 of the Privacy Code, it is preferable, providing the use of biometric information is permitted, to store identification code on a medium that is in the data subject’s exclusive possession after completing the enrolment phase, rather than to record the code at a centralised level in the company’s information system. The latter approach may actually be more prejudicial to individual rights if security measures are breached, unauthorised entities access the data, or the stored information is misused, whether or not by third parties.