Biometrics at Work: The Latest (i4cp login required)

Productivity

Think of your daily use of biometrics—you likely apply a
fingerprint to log into your phone. Or maybe you have voice recognition tied to
your bank account. You might submit to iris or hand scanners to gain access to certain
things and spaces (for example, my family doctor recently installed a hand
scanner for fast check-in at the front desk).

Even amusement parks use biometrics—Disney’s “ticket tag”
system in use at the entrances of many of its theme parks helps to manage
re-entry of guests and prevent fraud. The Disney technology involves the guests
placing a finger on a reader, which then scans and converts the fingerprint
image into a unique number associated with the individual’s admission ticket. Disney
says the fingerprint images are discarded immediately—the images are not
stored.

In the workplace, employees are increasingly
using biometrics to enter and exit workspaces, log in to computers,
to access sensitive data, etc. The Wall Street Journal speculated
last week
that the days of badging into work with a swipe of your ID card
are nearly over, asserting:

“Plastic cards may soon give way to
biometric systems, microchip implants, gait recognition, and other technologies
that aim to improve security, generate health data and monitor workers.”

And as the Institute for Corporate Productivity’s (i4cp)
talent acquisition study noted
in 2018,
software that runs AI in the background assessing eye contact,
facial expression, and verbal tones during video interviews is becoming more
commonplace in the hiring process. But concerns understandably persist. As
i4cp’s major 2019 study, Automating
Work: The Human/AI Intersection
noted:

“When asked about advanced work
automation and ethics, the top two issues cited by organizations were privacy
regarding data collection (45%) and security regarding data warehousing (44%).
These are both foundational aspects of using modern technology and, due to the
prevalence of broadly publicized data breaches, the concerns are warranted.”

The rapid evolution and adoption of personal data collection
technology requires us to stay on top of what’s new. It also asks us to trust
the entities that are collecting our data. For some, this is no big deal. For others,
a corporation (or any entity for that matter) asking us to simply trust that they
will protect our personal data, to include our biometric data, is a little too
much.

For the lawmakers in some U.S. states, the latter is of
enough concern that they have passed legislation to oversee the collection,
use, and storage of this very personal data.

So far, Illinois, Texas, and Washington have biometric
privacy laws in place, and
California’s Consumer Privacy Act (“CCPA”
) went into effect this month. The
CCPA is quite sweeping, allowing California residents to access and obtain
copies of the data that companies store on them, and the right to delete that
data and opt-out of companies selling or monetizing their data.

Experts at the National Law Review predict that other states
will soon follow suit with their own versions of data privacy laws that may have
implications for employers; Michigan, New Hampshire, Arizona, Alaska, Montana,
Florida, and Massachusetts have each introduced legislation addressing
biometric privacy.

The Illinois
Biometric Privacy Act (“BIPA”)
has set down strict requirements for
businesses that collect the biometric information of applicants and/or
employees. Businesses must
obtain written consent
from individuals before obtaining their biometric
data, and in the process of seeking that consent, they are required to disclose
the nature of the data they are collecting, why, and their policies for usage
and storage. See a sample biometric data consent form here.
Further, the state’s Artificial
Intelligence Video Interview Act
, which took effect in January 2019,
explicitly requires that employers also provide candidates information about
how any video technology in use works and obtain their consent.

 A few additional
points of note:

  • Each state that has passed legislation regarding
    biometrics defines the term in its own way. For example, California’s
    biometrics privacy act is broad. As the National
    Law Review reported this month,
    California’s regulations cover “physiological,
    biological, and behavioral characteristics and includes not only the
    traditional fingerprint and retinal scan, but also keystroke and gait patterns
    as well as sleep, health, and exercise data that contain identifying
    information.” Illinois and Texas legislation define biometric identifiers as
    specific to fingerprints, retina or iris scans, voiceprints, or scans or records
    of hand or face geometry. The Illinois law further defines biometric
    information to include “any information, regardless of how it is captured,
    converted, stored, or shared, based on an individual’s biometric identifier
    used to identify an individual.”  
  • There are exemptions in some states specific to
    organizations collecting the personal information of their employees as long as
    doing so is reasonable and within the scope of employment. Some legislation,
    such as a bill that has been proposed in Arizona, doesn’t apply to employers
    colleting biometric identifiers for employment purposes, unless the company
    sells or discloses that data to a third party.

What’s ahead? Look for more states to pass legislation
similar to that of Illinois. The sweeping California legislation is often
referenced in current literature in the context of a U.S. version of the European
Union’s General Data Protection Regulation (GDPR), considered the benchmark for
online data privacy. It’s worth looking into your own organization’s current
use of biometrics and plans to expand doing so in the future and assessing what
it will take to get into compliance now (or at least start heading in that
direction).

Leave a Reply

Your email address will not be published.