On July 17, 2023, the Israeli Privacy Protection Authority (the “PPA”) published a draft policy paper “Policy Paper: Collection and Use of Biometric Data at the Workplace” (the “Policy Paper”) to address their concerns with organizations using biometric identification technologies to monitor their employees' attendance in the workplace. The Policy Paper lays out those privacy risks and subsequent legal ramifications of engaging in this practice, as well as providing guidance for organizations to in connection with such use. The PPA holds that using biometric information should not be prohibited, rather, it should be done with careful consideration to employees’ privacy. The draft policy paper seeks to expand and update the PPA’s previous paper from 2012 on the collection and use of employees’ biometrics. Accordingly, the draft policy paper references recent developments in the field of biometric identification. While the general recommendation to refrain from using biometrics wherever practicable did not change, this draft policy paper suggests a specific list of alternatives to using biometrics, and lists them in order of preference, thus clarifying the PPA’s perspective on the collection and use of biometrics in the context of employment relations.
Risks and Benefits. The underlying sensitivity the PPA highlighted with respect to biometric information, is that biometric information, whether physical biometrics such as fingerprints or facial traits, or behavioral biometrics such as gait analysis, is effectually a permanent part of a person, something which does not change throughout a person's life; using such data creates a “key” to the specific person. The benefits of using such information for identification purposes is that using such information allows one to identify a person with certainty and to minimize situations of unauthorized access to databases or data breach. The risks attendant to the use of biometrics include the risk that the employee’s consent is not freely provided (given the power dynamics in the employer-employee relationship) and that the employees’ biometric data might be used outside the purpose limitation – the purpose for which it was provided – by the employer. Moreover, the biometric data of the employees might be leaked or stolen and used for various malicious purposes by a bad actor, including for purposes of identity theft.
General Principles. Under Israeli law, including case law, employees have the right to privacy in the workplace and thus, employers’ right to collect and use employees’ biometrics is subject to them meeting certain criteria. Accordingly, the PPA reiterated that in general, employers have the prerogative to collect and use employees’ biometric information to monitor their presence at the workplace and working hours. However, the collection of the information and its use must be done in a reasonable and proportionate manner, subject to the employees’ informed consent, and while applying the data security rules regulations, and adhering to the principles of data minimization and purpose limitation.
Alternatives. The PPA emphasizes the importance of examining alternatives to using biometric data for purposes of monitoring employee coming to the workplace, and the PPA lists the recommended alternative, in order of preference:
The PPA emphasizes that according to Israeli case law, collecting employees’ biometric data and storing it in a database, is only permissible if reasonable alternatives are impracticable or if the employer can show that there is a special justification for such use.
Notification Obligations. Additionally, employees would need to be provided with sufficient details, in clear and understandable language, regarding: (a) the purpose of collecting the information, (b) the identity of the database manager, (c) data security measures, (d) the possible dangers of collecting and storing the information, (e) the employees’ rights to data deletion, inspection and correction; (f) the purposes of the collection of the biometric data; (g) to which parties such data may be transferred and what uses such parties could make of the same, (h) how the data is stored, and (i) information regarding data retention periods. We recommend doing the same by means of a clear policy provided to the employees.
Consent. Unless the collection of biometric data is specifically authorized by law, informed and free employee consent is required. This consent does not necessarily have to be written or explicit, but may be implied (for example in use of the biometric system after being provided with the policy). In addition, if the employer’s request to collect the employee’s biometric data is reasonable and proportional, the employee’s refusal could adversely affect such employee’s rights in the context of labor law.
Limitation Principle. The data in the database may only be used for the specific purpose for which it was collected. The employer must ensure that the quality and quantity of the data collected should be appropriate for the intended use.
Security. The employer is required to take appropriate measures to ensure the security of the databases in compliance with Protection of Privacy Regulations (Information Security) 2017. The PPA also recommends using encryption and coding mechanisms unique to biometrics, as well as storing the biometric data in a separate database from other personal data.
Additionally, the PPA recommends that employers create internal policies for minimizing the risks of breach of privacy regarding use of biometrics. The PPA expressed the opinion that these policies should be stricter than those used in connection with other databases, especially in terms of data security. Storing the biometric data on a smart device which will be kept in the employee’s possession is preferable to storing it on a centralized database.
DPIA and DPOs. The PPA also recommends performing a Data Privacy Impact Assessment regarding the collection and use of the biometric data, as well as appointing a Data Protection Officer.
Data Minimization and Deletion. The PPA stressed the importance of performing annual reviews to ensure that the employer is not holding unnecessary data. For example, an employer should review whether it is necessary to continue storing personal data of terminated employees. Unnecessary data should be minimized or deleted.
Database Registration. The Protection of Privacy Law, 1981 (the “Privacy Law”) requires registration of databases which include biometric data. The Policy Paper lists the questions that must be answered during the registration process, including questions about which technological alternatives were considered by the employer and whether employees were allowed to choose an alternative, which does not include the collection of biometric data. The PPA underscores that it may refuse to register a database if it has reasonable cause to assume that the biometric data is being collected in violation of the Privacy Law.
In light of the PPA’s Policy Paper, we recommend any of our clients who collect or use biometric information of their employees, or intend to do so, to ensure that they meet all legal requirements.
The PPA is open to receiving comments on this draft Policy Paper until August 18, 2023.