The Israeli Privacy Protection Authority (PPA) has published draft guidelines concerning employers’ collection of biometric data, and is asking for public comment. “Policy Paper: Collection and Use of Biometric Data at the Workplace” maintains the PPA’s previous position, which generally advises employers to avoid collecting biometric data, though it also acknowledges that employers are entitled to use biometrics to monitor employees’ presence at work during working hours.
The draft policy paper highlights the sensitive nature of biometric data, framing it as a permanent and unique aspect of individuals. Although biometrics offer precise identification and heightened security, they also pose several risks. One concern is that employees might not freely consent to their biometric data usage due to the power dynamics in the employer-employee relationship. Additionally, there is a risk of data breaches and potential misuse by bad actors for identity theft.
The PPA underscores the principle that employers’ right to collect and use biometric data is subject to specific criteria and must be reasonable, proportionate, and based on informed employee consent. The paper recommends exploring alternatives to biometric data usage for employee monitoring purposes, listing options such as company-issued cards or decentralized storage on smart cards.
Moreover, the PPA emphasizes the importance of proper notification and transparency. Employers must inform employees about the purpose of data collection, data security measures, and their rights regarding data deletion, inspection, and correction. Informed and free employee consent is required, and refusal to provide biometric data might affect an employee’s labor rights.
To ensure data security, the PPA recommends employing encryption and unique coding mechanisms for biometric data storage. The paper encourages employers to create strict internal policies for biometric data protection, and it suggests conducting Data Privacy Impact Assessments and appointing Data Protection Officers.
Employers are also reminded to perform regular reviews to minimize unnecessary data storage and adhere to database registration requirements, including answering specific questions about the use of biometric data.
The deadline for public comment is August 18, 2023.
July 31, 2023 – by the FindBiometrics Editorial Team