Biometric information refers to measurable personal physical characteristics that can be subjected to authentication techniques to automatically verify identity. To date, our law has not specifically dealt with whether biometric information can be collected or not. Our Constitution recognises the right to privacy of each individual and that this includes the right to be free from intrusions and interference in one’s personal life. Yet our courts have also recognised that this right is not absolute and that as a person moves into communal relations and activities involving business and social interactions, the scope of personal space and privacy shrinks accordingly.
The new Protection of Personal Information Act (POPI) provides us with more concrete direction as to how employers should approach biometric information. POPI in general determines that the collection of personal information of an employee is not allowed, unless the processing is carried out with the consent (implying that the employee must be aware of such collection and the reasons therefor) of the employee or is required by law. The term “personal information” is defined very widely in POPI and can include biometric information. The employee can withdraw his consent and object to the continued use of the biometric information as well as even request the deletion or destruction of the personal information. Additionally, the employer may only use the biometric information for the specific reason for which consent was provided and must further ensure, and even put measures in place to ensure, that no unauthorised access to the biometric information is obtained.
So how must an employer go about ensuring that its obtaining and use of biometric information is in compliance with POPI? The first important requirement is to obtain the consent of its employees. Provision for consent can be included in the employment contract or conditions of service of staff. Such consent should flow together with an explanation of the reasons for the obtaining and use of such biometric information as well as an explanation of the consequences for the employee should such consent not be provided. Additionally, provision should be made for employees to object to the use of and/or request the deletion of such biometric information, again with an explanation of the consequences of such actions. Such consequences, depending on the security needs of the employer, may include a range of consequences, from additional security measures that have to be employed to verify the identity of an employee not being allowed access to offices or systems and consequently being unable to provide his services effectively, which could lead to dismissal for a failure to perform. Where biometric access and security measures are inherent requirements to perform a job, it would also be important to prior to appointment inform potential candidates that such biometric information will be required as a condition of employment and that should such not be provided or consent for use be withdrawn, termination of the contract of employment may result as a direct consequence.
Employers should also when installing biometric systems, ensure that the systems are POPI compliant as to storage and access of the biometric information and that staff that have access to such biometric information are aware of the requirements of POPI as to the access and use of such biometric information.
POPI is not yet in effect, but this should not lull any employer into a false sense of security. If you are an employer using or wishing to use biometric technologies, it is recommended that you review your employment contracts and policies and align these with the requirements of POPI.