Whether the use of a fingerprint reader system (the "System") to collect fingerprint data of employees for the purposes of monitoring their time-and-attendance and ensuring office security is excessive
The Complaint
1. Summary of Facts
A company used the System to collect fingerprint data of its employees for the purposes of monitoring their time-and-attendance and ensuring office security.
2. Issues of the Case
Whether collection of the fingerprint data of employees for the purposes of monitoring their time-and-attendance and ensuring office security is excessive, and hence contrary to DPP1(1) of the Ordinance.
Outcome
1. Reasoning
The company claimed that the data subjects had voluntarily submitted to the System. Hence the data subjects were taken to have given consent to the collection of their fingerprint data.
According to "Personal Data Privacy: Guidance on Collection of Fingerprint Data" issued by the PCPD, consent has been a cogent factor that the Privacy Commissioner will take into account in considering whether the data user has taken sufficient measures to mitigate the adverse impact on personal data privacy.
In determining whether consent has been voluntarily and expressly obtained, the Commissioner regards it as critical that (i) the data subject does possess the requisite mental capacity to understand the adverse impact on his personal data privacy; and (ii) there be no undue influence on the data subject when his consent is sought. In situations where disparity of bargaining power exists, such as in an employer-employee relationship, any presumption of undue influence exerted on the part of the employer can be dispelled by the provision of genuine choices to the data subjects before they decide to provide their personal data.
PCPD investigation revealed that the company had not obtained true consent from its employees for the following reasons:
(1) A special relationship exists between the company and its staff, i.e. a relationship between employers and employees showing disparity of bargaining power. There is a rebuttable suggestion that undue influence might have been exerted upon the data subjects;
(2) The company had failed to provide the employees with a free choice to give or not to give their fingerprint data to the company, nor did it make known to the employees the purposes of collection and the availability of alternatives; and
(3) The company had failed to present a balanced view to the employees to enable them to make an informed choice of giving or not giving their fingerprint data to the company.
By failing to provide sufficient information to help its employees to fully understand the adverse impact on their personal data privacy and by failing to implement adequate mitigating measures to deal with the adverse privacy impact brought on by the System, the Privacy Commissioner found that the collection of employees' fingerprint data by the company was unnecessary and excessive, and hence contrary to DPP1(1).
2. Action by PCPD
As the company has subsequently taken remedial actions, in particular, offering its employees a less privacy-intrusive alternative (i.e. password) to collection of fingerprint data, no enforcement notice but a warning letter was issued to the company.
uploaded on web in February 2009