In a new class action filed recently against a hospital housekeeping company, employees allege their employer’s fingerprint scanning time-tracking system runs afoul of privacy laws. The Pennsylvania-based company Xanitos Inc. now faces the lawsuit in federal court in Illinois, claiming the company violated the state’s Biometric Information Privacy Act (BIPA).
The Illinois law, one of the strongest in the country, requires a private entity to obtain consent before collecting biometric data; to timely destroy such data when the purpose of collection ends; and to securely store such data. Xanitos employees claim that the company failed to obtain their written consent, failed to inform them of the purpose and length of time for which their fingerprints were being collected, and failed to provide a retention schedule and guidelines for destroying their fingerprint data.
“While there are tremendous benefits to using biometric time clocks in the workplace, there are also serious risks. Unlike key fobs or identification cards…fingerprints are unique, permanent biometric identifiers associated with the employee,” the potential misuse of which “exposes employees to serious and irreversible privacy risks,” according to the complaint.
The class seeks liquidated damages of $1,000 per violation.
This type of potential liability should give employers pause when considering biometric timekeeping systems, or other uses of biometric data in the workplace. There are dozens of fingerprint time clock software companies and systems advertising many benefits to employers: saving time, promoting efficiency, increasing accuracy, and eliminating “buddy punching,” for example. Employers should be aware of legal considerations that come with using employees’ biometric data:
- State laws, like those in Illinois, Texas, and Washington, that impose specific protections for biometric data
- Data breach notification laws, which could require an employer to notify an employee if her biometric information is exposed through a data breach
- Laws prohibiting employers from requiring their employees to submit to fingerprinting generally, such as in New York
- General liability for negligence or invasion of privacy, especially if an employer fails to protect and secure biometric data
For employers who already have or are interested in implementing a fingerprint-based time clock system, best practices include:
- Maintain a written policy governing your use of biometric data. The policy should explain your purpose for obtaining biometric information, how the company will use that information, retention policies and destruction procedures, and information about security protocols to protect employees’ data.
- Safeguard the privacy and security of your employees’ biometric information.
- Obtain written consent from employees before collecting any biometric information.
- Review agreements with service providers to ensure compliance with your own biometric data policy, and to properly allocate risk in your contracts.
- Consult counsel for help in reviewing your workplace’s use of biometric data for compliance with applicable law.