Using biometrics in the workplace to track employees’ work time is legal in Quebec, so long as employers follow the Quebec Commission on Access to Information (CAI) guidelines. Companies that don’t follow the CAI guidelines can face serious financial consequences. The CAI will, as of Sept. 22, have the ability to impose significant administrative monetary penalties, running into millions of Canadian dollars.
What Is a Biometric Clock?
“Tracking employees’ time with biometric clocks involves using biometric information, such as fingerprint, palm, facial or iris scan, to accurately record their attendance and working hours,” said Ayse Gauthier, an attorney with McMillan in Montreal.
There are a few different steps in using biometric clocks.
“First, there’s the biometric enrollment, when employees are required to enroll their biometric data into the system. Then, biometric clocks are placed around the workplace. These clocks are equipped with sensors capable of capturing the necessary biometric information,” Gauthier said. To record their attendance or working hours, employees approach the biometric clock and follow the authentication process. “This process varies depending on the type of biometric technology being used,” Gauthier said. “Once the biometric data is captured, it is processed by the system. The system verifies the employee’s identity by comparing the captured data with the stored templates in its database.”
There’s an internal process at first, which is a review of why biometric information is necessary. “That should be documented and well-established,” said Alexandra Quigley, an attorney at Dentons in Montreal. “The CAI recommends having a privacy impact assessment prior to developing the system to really ensure this is the correct way to move forward and how it’s going to be implemented within the organization.”
There are a few precautions that can be taken to make sure the use of biometrics is justified and compliant with CAI guidelines.
“When deciding whether to establish a biometric database, organizations must first determine if their purpose for doing so is important, legitimate and real,” Gauthier said. “Organizations must undertake an assessment of the circumstances and issues that led to the decision to implement a biometric time clock.”
Companies can ask themselves if the measure is demonstrably necessary, if the collection of biometrics will be effective in terms of that need, if the loss of privacy is worth the gained benefit, and if there’s a less privacy-intrusive way to achieve the same goal, among other questions.
“You want to look at exactly how the data is going to be used, the purposes for which it will be used, how [it] can be integrated, and try and limit the use of that biometric data to those specific purposes,” Quigley said.
Get Consent or Face Fines
Companies need to make sure they are getting consent from their employees to use biometrics. “The CAI has published a consent template, available in French only, which organizations can use and adapt to their own specific needs,” Gauthier said. “Organizations must provide consent forms containing all the necessary information to their employees to obtain their express consent, which must be free, informed, specific and time-limited.” But it’s still important to make sure the collection of biometrics is a need. “In other words, consent is not a substitute in the absence of necessity.”
The CAI has broad powers to investigate suspected violations.
“The CAI can, on its own initiative or pursuant to the complaint of an individual, investigate an organization if it suspects that it does not comply with the law,” Gauthier said. “Furthermore, individuals can now bring a private action against an organization for damages resulting from the unlawful infringement of the right to privacy.”
Employees always have the option to opt out of biometric data collection, even if their company is completely compliant with the CAI. “There are a multitude of alternatives to biometric clocks, like, for example, traditional time clocks, such as punch card systems or electronic keypads, which allow employees to manually clock in and out by entering their employee ID [or] a personal identification number or using swipe cards,” Gauthier said.
Companies would be best served by covering all of these bases, from compliance to consent, before implementing biometric clocks.
Katie Nadworny is a freelance writer in Istanbul.