Can an employer demand biometric information from its employees?

The need for greater and more stringent security measures in the business environment, has seen the introduction of sophisticated control and security systems. These systems increasingly make use of biometric information such as fingerprinting, blood typing, voice recognition, retinal scanning etc. as unique personal identifiers allowing access to/egress from physical locations, programmes, systems or networks. For an employer to implement such control measures, biometric information must be collected from employees, raising the question as to whether employees can be forced to provide biometric information, under which circumstances and for what purposes.

Biometric information refers to measurable personal physical characteristics that can be subjected to authentication techniques to automatically verify identity. To date, our law has not specifically dealt with whether biometric information can be collected or not. Our Constitution recognises the right to privacy of each individual and that this includes the right to be free from intrusions and interference in one’s personal life. Yet our courts have also recognised that this right is not absolute and that as a person moves into communal relations and activities involving business and social interactions, the scope of personal space and privacy shrinks accordingly.

The new Protection of Personal Information Act (POPI) provides us with more concrete direction as to how employers should approach biometric information. POPI in general determines that the collection of personal information of an employee is not allowed, unless the processing is carried out with the consent (implying that the employee must be aware of such collection and the reasons therefor) of the employee or is required by law. The term “personal information” is defined very widely in POPI and can include biometric information. The employee can withdraw his consent and object to the continued use of the biometric information as well as even request the deletion or destruction of the personal information. Additionally, the employer may only use the biometric information for the specific reason for which consent was provided and must further ensure, and even put measures in place to ensure, that no unauthorised access to the biometric information is obtained.

So how must an employer go about ensuring that its obtaining and use of biometric information is in compliance with POPI? The first important requirement is to obtain the consent of its employees. Provision for consent can be included in the employment contract or conditions of service of staff. Such consent should flow together with an explanation of the reasons for the obtaining and use of such biometric information as well as an explanation of the consequences for the employee should such consent not be provided. Additionally, provision should be made for employees to object to the use of and/or request the deletion of such biometric information, again with an explanation of the consequences of such actions. Such consequences, depending on the security needs of the employer, may include a range of consequences, from additional security measures that have to be employed to verify the identity of an employee not being allowed access to offices or systems and consequently being unable to provide his services effectively, which could lead to dismissal for a failure to perform. Where biometric access and security measures are inherent requirements to perform a job, it would also be important to prior to appointment inform potential candidates that such biometric information will be required as a condition of employment and that should such not be provided or consent for use be withdrawn, termination of the contract of employment may result as a direct consequence.

Employers should also when installing biometric systems, ensure that the systems are POPI compliant as to storage and access of the biometric information and that staff that have access to such biometric information are aware of the requirements of POPI as to the access and use of such biometric information.

POPI is not yet in effect, but this should not lull any employer into a false sense of security. If you are an employer using or wishing to use biometric technologies, it is recommended that you review your employment contracts and policies and align these with the requirements of POPI.

April 6, 2014
South Africa: The approach to regulating AI compared with the EU

South Africa: The approach to regulating AI compared with the EU

South Africa is actively working towards effective AI regulation, recognizing the need for
specialized legislation due to AI’s unique challenges and potential for consumer
protection and economic growth. The country’s efforts include the Presidential
Commission Report on the Fourth Industrial Revolution, the establishment of the Centre for Artificial Intelligence Research, and the drafting of an AI Blueprint during its AU
chairmanship, advocating for a unified African AI approach.

Merging the pieces when transactions become indivisible

Merging the pieces when transactions become indivisible

On 28 June 2024, the Competition Commission published Draft Guidelines under section 79(1) of the Competition Act to address its approach towards ‘indivisible transactions.’ These guidelines are aimed at providing clarity on how multiple transactions can be evaluated as a single merger filing. In this article, we explore the key elements of the Draft Guidelines and the rationale behind their publication, offering insight into their potential impact on merger control in South Africa.

Sign up to our newsletter

Pin It on Pinterest