When you use your face or your fingerprint to unlock your phone, you are using biometrics. Today many employers are using biometrics for “providing secure building access, tracking employee time and attendance, activating machinery, and authenticating users’ identities for increased computer and mobile device login security.” According to a 2018 survey by Spiceworks, biometric authentication technology was utilized in 62 percent of companies, and an additional 24 percent planned to utilize it within two years. However, this usage is not without legal and privacy questions.
Types of biometric identifiers include fingerprints, photo and video, physiological recognition (e.g., facial, hand or retinal scanning), voice, signature and DNA. Behavioral identifiers are less commonly used as they are not as reliable. However, as the technology improves they are likely to become more effective and thus more frequently used. Examples of behavioral identifiers are typing patterns, physical movements (e.g., the way someone walks), navigation patterns (e.g., mouse or finger movements on touch screens), and engagement patterns (e.g., how we use apps, how we hold our phones).
Biometric data that is potentially subject to data breaches could expose workers to risks like identity theft, said William E. Hammel, who leads the data privacy, cybersecurity, and information governance practice at workplace law firm Constangy, Brooks, Smith & Prophete. “An iris scan looks cool, especially if you’re impressing clients,” he said. “But that data usually has to go somewhere.” Privacy experts stress the importance of securely storing biometric data, pointing out that while you can easily issue a new password, you cannot issue someone a new eyeball or fingerprints.
Technology is rapidly evolving, and the law is struggling to keep up. Employees are starting to challenge how companies are storing and using their biometric data. Although there are regulations being created that require employee consent for the collection of biometric data, CSOOnline points out that the imbalance of power in the employee/employer relationship means that consent would have to be explicitly obtained and the employer would have to give employees the right to withdraw their consent and to choose an alternative system to the biometric system to truly make compliance voluntary.
As these issues are being addressed, new ones are popping up. For example, some companies have begun microchipping employees, inserting an implant the size of a grain of rice into the hands of employee volunteers. The microchip works much like the identification tag many employees now wear to open doors or access company accounts. Of course, when an employee resigns or is terminated, it is much easier to retrieve an ID badge than a microchip inserted into the employee’s body!
Whatever feelings employees may have about biometrics, expect that they are here to stay. Like we have seen with other questions about privacy, many people will become resigned to any potential loss of privacy. Andrew Newby, COO of Workwell Technologies, a company offering biometric timekeeping services, said he believes people will accept the use of biometric data as it becomes more commonplace in everyday life, such as using it to unlock iPhones. “I believe employees will become less and less concerned,” he said.
