Publications regarding the Collection and Use of Biometric Data in the Workplace
16 August 2023
The Privacy Protection Authority Continues: Publications regarding the Collection and Use of Biometric Data in the Workplace and the Collection of Geolocation Data of Employees through Applications and In-Vehicle Tracking Systems
Dear customers and colleagues,
The Privacy Protection Authority at the Ministry of Justice (the “PPA“) recently published two documents concerning privacy aspects in the workplace. One about the collection and use of biometric information for employees’ attendance control (“Biometric Policy“) (published at this stage as a draft for public comments), and the other about the collection of geolocation data through dedicated applications and in-vehicle tracking systems (“Geolocation Policy“).
The PPA is the Israeli regulator responsible for privacy and data protection matters. As well known, the technological world and particularly the digital data world are constantly evolving and rapidly changing. In light of the foregoing, the PPA is required to cope with such changes and “adapt” to these changes the legal framework in place.
Therefore, the PPA publishes guidelines, recommendations and opinions on various topics related to privacy issues, and we are recently noticing a clear trend of the PPA to focus specifically on privacy-related issues within the framework of employment relations. In this regard, the tension between the employer’s managerial prerogative and its employees’ right to privacy is well known. Such tension has been addressed by the labor courts in numerous rulings, including in the landmark ruling of the National Labor Court in the Isakov case[1] (which dealt with the employer’s right to monitoring its employees’ emails) (the “Isakov Case“).
It appears that the PPA is well aware of such tension and it often adopts principles set by the labor courts (particularly those set by the National Labor Court in the Isakov Case). Moreover, the PPA (in a similar manner to the labor court) concludes and applies the principles set in the Isakov Case to other relevant privacy-related aspects in the context of employment relations, e.g. medical data and remote employment.
Collecting and Using Biometric Data for Employees’ Attendance Control in the Workplace
Biometric identification is the identification of a person through physiological characteristics (e.g. fingerprints, voice and facial features) or through behavioral characteristics (e.g. walking form) (“Biometric Data“). Since Biometric Data is a form of data that a person permanently “carries” with himself/herself, and which does not significantly change throughout most of his/her life, it often serves as a universal “key” for the identification of a person in a univalent manner.
In its Biometric Policy, the PPA notes that in recent years organizations are using technologies for biometric identification in order to monitor their employees’ attendance and working hours, and that there are various technologies available in the market today which enable biometric identification, e.g. scanners of fingerprint, palm print, iris or retinal and facial feature.
According to the PPA, the use of biometric systems for monitoring employees’ attendance (“Biometric Systems“) may reduce the risk of unauthorized access or intrusion. However, such use bears various privacy-related risks, e.g. increase in the sense of a “police atmosphere” in the workplace; damage to the employees’ sense of control over their own data; theft, leakage and disclosure of data; use of the data for other purposes than those for which it was collected; etc.
In that sense, the use of Biometric Systems challenges the employees’ right to privacy against the managerial prerogative of the employer and the fulfillment of the employer’s legal obligations (such as the obligation to record the employees’ working hours under the Wage Protection Law and the Work and Rest Hours Law). Therefore, the PPA requests to put the phenomenon and its privacy-related inherent risks under the spotlight, and to present its guidelines and recommendations to organizations that wish to use Biometric Systems in the workplace.[2]
The PPA emphasizes that it does not seek to prohibit the use of Biometric Systems, but rather to ensure that such use will be carried out while appropriately addressing and respecting the employees’ right to privacy and in accordance with the general principles set in the Isakov Case as well as the specific principles set by the National Labor Court regarding Biometric Data in another ruling – the Municipality of Qalansawe Case.[3]
Following are the PPA’s rules of thumb and recommendations for their implementation under the Biometric Policy –
- Proportionality, Justification and Alternatives. The employer must ensure that the use of Biometric Systems is proportionate. In addition, the employer must justify its decision to use Biometric Systems and base it on its legitimate interests notwithstanding that it infringes the employees’ privacy. This (among others) by considering other less invasive alternatives such as: using an employee card (which does not include Biometric Data); installing security cameras that cover the area of the attendance clock (and the footages of the security cameras would only be examined in defined cases of suspected misconduct); storing the Biometric Data only on “smart cards”; and enabling the use of the Biometric Systems only for employees that consent to do so whilst offering a reasonable alternative for employees who refuse to do so.
The PPA clarifies that collecting Biometric Data for identification and attendance monitoring purposes may be deemed a disproportionate measure, unless other less invasive alternatives are impracticable, or that there is a unique justification in specific circumstances that the employer can demonstrate.
- Notifying the Employees. The employer must inform the employees comprehensively with respect to the collection of the Biometric Data and its use. In that sense, employers must inform their employees with respect to, inter alia, the purposes for collecting their Biometric Data; who is responsible with respect to the database in which their Biometric Data will be retained and who are the individuals authorized to access such database; the manner in which their Biometric Data will be secured; the potential risks in relation to the collection and maintenance of Biometric Data; the employee’s rights of review and correction; how the Biometric Data will be maintained and the option to delete Biometric Data from the database; if there are limitations vis-à-vis the Biometric Data’s retention period and usages; etc.
- Employees’ Consent. In the absence of an authorization by law, the employer cannot obligate its employees’ to provide their Biometric Data for attendance control and/or supervising their working hours, and the employer must obtain its employees’ informed, explicit or implicit, consent for the collection and use of their Biometric Data.
To the extent that the use of the Biometric Systems is proportionate manner, as aforesaid, the employer may require an employee to provide his/her consent for collecting the data, whereas the employee’s refusal may bear implications in the context of the employment relations (although the PPA clarifies that the Biometric Policy does not address the reasonableness of the employee’s refusal to a proportionate and legitimate request of the employer for the use of Biometric Systems, or the meaning of refusing to such request within the framework of the employment relations). Generally, the PPA’s is of the view that it is appropriate for the employer to enable the use of the Biometric Systems at the employees’ discretion. Nevertheless, it is important to emphasize that while the employee’s consent is crucial, it is not sufficient and consent alone cannot legitimize the collection of Biometric Data which does not adhere to the proportionality condition (as further detailed above).
- Principle of Purpose Proximity. The employer must ensure that the collected Biometric Data will be used only for the purposes for which it was collected (using personal data, including Biometric Data, for other purposes than for which it was collected may amount to an act of infringement of privacy under the law). In light of the above, it is prohibited to collect about employees Biometric Data which is not required, and employers must ensure that the quantity and quality of the collected Biometric Data are in adherence to the required level of identification, and nothing more.
- Data Security. Generally, maintaining Biometric Data in a centralized database of the employer significantly increases its data security risks.[4] The employer shall take advanced measures in order to secure the Biometric Data, such as using unique encryption and encoding mechanisms, segregating Biometric Data from other personal data contained in the database and minimizing access authorizations to the Biometric Data. Given the sensitive nature of a database that contains Biometric Data, the PPA states that it is advisable for the employer to establish stricter data security procedures vis-à-vis such database (i.e. than those applied with respect to other databases of the employer, which do not contain Biometric Data). In addition, the PPA stresses the importance of conducting a privacy impact assessment before commencing with the collection of Biometric Data, as well as the significant value of appointing a privacy protection officer.
- Minimization & Deletion of Data. The employer must assess the necessity of retaining Biometric Data in its possession, and in cases where such data is no longer needed – the employer shall take measures to minimize it, including by its deletion, and surely following termination of employment.
Public comments to the Biometric Policy may be submitted until August 18, 2023.
For the Biometric Policy of the PPA is available (in Hebrew) – Click here.
Collecting Geolocation Data of Employees through Applications and In-Vehicle Tracking Systems
The PPA published the final version of its Geolocation Policy regarding the collection of geolocation data of employees through applications and tracking systems (“Tracking Systems“), in which the PPA notes that the use of employers with technological measures to monitor their employees has gained momentum in recent years, including through Tracking Systems that enable pinpointing the physical location of employees (including within the framework of relations that have not yet been determined if they constitute an employment relations).
According to the PPA, the employer has a legitimate interest to monitoring its employees’ actual working hours, including for recording and reporting the working hours for the purposes of salary calculation and performance supervision. Nevertheless, as already determined by the courts (including by the Supreme Court), collecting and processing geolocation data of a person significantly infringe the privacy of such person, as from geolocation data (in itself, or in combination with data from other sources), one can conclude and denote highly sensitive data about a person’s personality, social connections, financial condition, etc.
In light of the above, the PPA specifies in its Geolocation Policy the considerations an employer seeking to use Tracking Systems should take into account and its obligations in connection with such use. On this topic as well, the PPA adopts the same principles set by the National Labor Court in the Isakov Case, and concludes from them the limitations that should apply to employers with respect to the implementation and operation of Tracking Systems.[5]
Following are the key principles set by the PPA in its Geolocation Policy –
- Proportionality. Employer that wishes to use Tracking Systems must comply with the proportionality requirement, so that the use of Tracking Systems will take place only in the absence of less invasive alternatives, and after thoroughly examining the proper ratio between the benefits derived from the use of Tracking Systems and the potential harm an violation of the employee’s right to privacy in the workplace.
- Legitimate & Justifiable Purpose. Employer may use Tracking Systems only where it has a legitimate, justifiable and essential purpose to do so. Determining a broad purpose which lacks affinity to the legitimate interests of the workplace will not be deemed a justified purpose for monitoring the employee. The employer shall first consider whether the nature of the employee’s role and its quality justify tracking such employee’s geolocation (e.g. drivers, couriers and salesmen). Generally, it would be difficult to demonstrate a business interest of the employer that justifies a continuous collection of geolocation data, if the employee’s role primarily involves usual office work.
- Minimizing the Infringement of Privacy. Tracking Systems shall only be used in the absence of less invasive alternatives (that do not collect geolocation data) and which are capable of fulfilling the purpose for collecting geolocation data. For example, the employer should examine whether the Tracking System can be designed or defined in such a manner that would only verify if the employee is located in specific geographic waypoints or using a mobile app with which the employee reports its arrival (and in relevant cases, the completion of his/her task). In any event, an employer shall refrain from collecting employees’ geolocation data outside of working hours. In addition, the employer should consider whether the Tracking System can be programed so that it will retain encrypted or de-identifiable data (and only in exceptional cases that were pre-determined and communicated to the employees in advance, such data may be decrypted or rendered identifiable). Also, the employer must address the time range during which geolocation data is collected, the usage of such data and its personnel with access rights to it, and to explain its decision whilst addressing the possibility of using less invasive alternatives.
- Principle of Purpose Proximity. The employer is prohibited from using collected geolocation data for any other purpose other than the purposes for which it primarily collected. The employer must determine the purposes for using such data in advance, after which the employer shall a clear policy regarding the matter, which will be presented and communicated to the employees.
- Transparency. The employer must act in full transparency towards the employees, and before commencing with the collection of geolocation data, the employer shall clearly and cohesively inform the employees, in detail, of the policy regarding the use extent of such data, including the purposes for such use, time range during which the Tracking System will be operational, data retention period, personnel that will receive access rights to it, etc.
- Consent. Given that a Tracking Systems is a monitoring measure that will accompany the employee throughout his/her working hours, including outside the employer’s premises, the position of the PPA is that the employer needs to obtain the employees’ specific consent for collecting his/her geolocation data. In addition, such consent should be tailored and limited solely to the purpose for which it was requested (for example, consent for installing an in-vehicle tracking device for theft prevention, does not implicitly include a consent to collect the vehicle’s users’ geolocation data by the employer).
For the Geolocation Policy of the PPA is available (in Hebrew) – Click here.
Each position paper of the Protection of Privacy Authority serves as a guideline for employers and is adopted (as stated above), in numerous rulings of the labor courts. Therefore, employers that use technological systems for biometric identification and/or geolocation tracking, as well as employers that are interested in examining the possibility of making such use, must operate in accordance with the law and ensure they are doing so (if necessary) during their operation.
This, amongst others, in order to avoid potential claims of former employees (including claims of infringement of privacy which, in certain cases, may enable the court to rule monetary damages in significant amounts and without having to prove damages to the plaintiff), as well as in order to ensure materials obtained through the use of such technological systems will be permitted (as generally materials obtained while infringing privacy cannot be used as evidence in courts).
Accordingly, we invite you to contact us for any individual or specific consulting you require and for conducting a thorough and comprehensive review of the relevant privacy aspects in your organization, as well as regularizing that which requires regularization.
The Commercial Department & Labor Law Department
Herzog Fox & Neeman
[1] CA (National) 90/08 Tali Isakov Inbar v. the State of Israel – The Commissioner for the Women’s Labor Law (Published on February 8, 2011).
[2] The PPA clarifies that its Biometric Policy is also relevant, mutates mutandis, in the context of online and remote employment. However, the PPA also emphasizes that its Biometric Policy does not address the use of biometric systems for identification purposes of all entrants to the employer’s premises for security and purposes but rather only within the context of employment relations.
[3] ACD (National) 7541-04-14 New General Workers’ Union Southern Triangle Region v. Municipality of Qalansawe (Published on March 15, 2017).
[4] A database that contains Biometric Data (of any kind) is a database which is subject, to the minimum extent, to the medium level of data security, in accordance with the Protection of Privacy Regulations (Data Security), 5777-2017.
[5] It should be noted that the approach of the courts in the past was more lenient with respect to employees whose permanent place of employment was outside the employer’s premise or in case the supervision of the employees was difficult due to the specific nature of their position, such as drivers and couriers (e.g. in CD 1026/06 New General Workers’ Union v. OIE Oil & Energy Infrastructures Ltd. (Published on September 18, 2006), the Regional Labor Court of Beersheba determined that in certain circumstances, operating an in-vehicle tracking system during working hours will not be deemed as an infringing an employee’s privacy). However, given the technological developments and the emphasis privacy aspects receive nowadays (in Israel and globally), as well as the Isakov Case and case law of the Supreme Court vis-à-vis the sensitive nature of geolocation data (e.g. CAA 2404/21 Jane Doe v. John Doe (Published on July 22, 2021)), the PPA takes a position and interprets the law in a manner suitable and adaptable to the current technological era.