High risk for biometrics


The use of biometric technology in the workplace is on the rise. But the absence of privacy laws means employers run the risk of violating employees’ privacy, says law firm Bowman and Gilfillan.

While the Protection of Personal Information (POPI) Bill has not been signed into law, the use of biometric systems has risen in both the private and public sectors. Despite the lack of laws governing personal information, the police have already mandated the roll-out of fingerprint ID switches, which will impact on access to personal information.

Recruitment companies are also adopting biometric systems and many private firms are increasingly using the technology as a security and access control measure, ITWeb reports.

Senior associate at Bowman and Gilfillan Lusanda Raphulu says that, since laws are not in place, employers will have to be guided by the provisions in the POPI Bill when dealing with employees’ personal information.

The POPI Bill, which was submitted to the justice minister in February last year, aims to promote the protection of personal information processed by public and private bodies. The Bill looks to establish minimum requirements for the processing of personal information and provide for the establishment of an information protection regulator.

Raphulu adds the Bill requires employers to inform their employees of the specific purpose for which their fingerprint is being collected and who would have access to such information – and that these procedures should be followed in the absence of legislation.
“Employers should explain to employees how the system will work and what information will be stored on the system. In circumstances where only biometric identity templates are stored on the system, as opposed to actual images of employees’ fingerprints, employees should be advised of this,” notes Raphulu.

Increased risk

In August, Cabinet approved the POPI Bill to go before Parliament. The draft law has been nine years in the making and will have a profound impact on business. The SA Law Commission has been drafting the Bill since 2000 and issued the first discussion paper in 2003. Justice and constitutional development minister Jeff Radebe previously said the implementation phase is set to begin on September 10 this year.

Raphulu explains that, at present, except for the common law and an individual’s constitutional right to privacy, there is no data protection legislation in place and this raises important questions for employers.

Generally, biometric identity templates are secured, but the information still needs to be managed and stored correctly, says Raphulu. Templates which are created and stored cannot be reconstructed into the fingerprint images, so even if the system was tampered with by someone meaning to access the identity data of employees by breaking into the system, they would only find useless strings of numbers, as no image of any fingerprint is ever stored within the system.

But the absence of terms governing personal information and the collection, recording, storage, and use of the information as regulated in the Bill, will increase the risk employers carry.
“Employers must ensure that the information collected is only used for the purpose for which it was initially collected. As records of personal information should not be kept in a form which allows an employee to be identified for any longer than is necessary to achieve the purpose for which the information was initially collected or subsequently processed – unless the employee has authorised their employer to retain the record – the employer should destroy such record after the expiry of the necessary statutory period,” says Raphulu.