Biometrics: Coming Soon to a Workplace Near You

  • Wednesday, October 25, 2017

Print This Page Share

Movies have been relying on biometrics for more than 50 years with great success, from James Bond to Minority Report to Blade Runner. Now, as real life is finally catching up with Hollywood, employers have begun using biometric data with increasing frequency in all aspects of the workplace. While the use of these technologies undoubtedly provides many benefits and efficiencies for employers, the collection of such sensitive data also comes with the potential for legal liability.
 
What are Biometrics and How are they Being Used in the Workplace?
“Biometrics” in the workplace are typically measurements of individuals’ unique physiological characteristics or patterns, such as hand geometry, eye scans, fingerprints, facial recognition, or voiceprints that are quick and easy for an employer to scan to confirm identity. Employers often collect and use biometric data to establish time records for employees (fingerprint), to restrict access to specific areas, computer systems, data or devices (eye scan), and to provide security (hand geometry).
 
Are there Any Laws Governing the Use of Biometrics?
Some states, such as Illinois, Texas, and Washington, have already passed specific laws to address the collection and use of biometric data by employers and others. All of these privacy laws require employers to provide notice and obtain consent from employees before collecting and storing biometric data. The laws also require employers to exercise reasonable care to protect the biometric data and dictate how the data may be properly destroyed. The Illinois statute additionally provides for a private right of action for violations, which has led to at least 10 class action lawsuits filed in this year alone by employees. In addition to these privacy laws, numerous other states, such as Michigan and Texas, have data breach notification laws that require notifications relating to the disclosure of biometric data.
 
Here in New Hampshire, laws have already been passed prohibiting some government agencies from collecting “biometric” information, such as the Department of Motor Vehicles when registering motor vehicles or issuing licenses (RSA 260:10-b). In addition, earlier this year, legislation was introduced, HB 523 (the Biometric Information Privacy Act), similar to the privacy laws referenced above. The legislation’s specific purpose is to “regulate the collection, retention and use of biometric information” by private entities and individuals. Among other things, the proposed law would require New Hampshire employers to obtain a written release from an employee prior to collecting biometric data from the employee. The law contains several exclusions from the definition of biometric data, including handwriting samples and “[i]nformation captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.” In the event of a violation, like the Illinois statute, HB 523 would allow for a private right of action, including a right to statutory damages, attorneys’ fees, costs, and injunctive relief.  
 
The ultimate fate of HB 523 is uncertain. As of October 10, 2017, the law had been retained in committee, which likely means it will not pass this legislative season. Nonetheless, New Hampshire employers should proceed with caution when collecting and storing biometric data. Biometric data is inherently personal and private, and the misuse of such information can already lead to litigation by employees, such as for breach of privacy, discrimination, or negligence.
 
Best Practices for New Hampshire Employers
Prior to using technology that relies upon the collection of biometric data, employers should adopt a written policy and/or procedure addressing the topic. This will place everyone on notice of the purpose of the technology, and everyone’s rights and responsibilities. Among other things, the policy should require the use of a written consent form, to be signed by the employee, and a clear statement that the data will not be sold or disclosed, unless the individual has expressly consented to the disclosure or the disclosure is authorized by law. Further, the policy and procedures should address how the information will be stored and protected (similar to how all confidential information is protected in the workplace). Lastly, employers should identify what steps will be taken in the event that the biometric data is compromised.
 
With biometric privacy legislation pending in several states, and the recent rise in litigation in this area, it is likely to remain a hot topic in the area of employment law for the near future.

Please do not hesitate to contact anyone in Devine Millimet’s Labor, Employment & Employee Benefits or Healthcare Practice Group if you have any questions regarding this topic.

Tabitha Croscut

Shareholder

603-695-8542
Send an Email

Patricia M. McGrath

Shareholder

603-695-8537
Send an Email

Margaret "Peg" O'Brien

Shareholder

603-695-8631
Send an Email

Anne G. Scheer

Of Counsel

603-410-1708
Send an Email

Donald Lee Smith

Shareholder

603-695-8729
Send an Email