There is nothing new about collecting data in the workplace. From bundy cards to visitor logins and secure swipe access, businesses have always needed to know who is in their building to meet their compliance and governance obligations as well as protect staff, inventory, information, and assets.
Now our workforces need even more protection in COVID times, so it makes sense that we look to more advanced technology to help us do that. And technology such as facial recognition, or biometric data, has also migrated from the highest level of secured access facilities to an everyday presence on our computers, hand-held devices, and phones.
We are used to using facial recognition or thumbprints to unlock our smartphones, search our photos faster and play on social media. So why is it such a concern when it comes to business? When people use the technology in their personal life, they feel they are in control and that its use or storage is under their directive. While this
is not necessarily the case, installing a facial recognition technology can potentially concern some employees or visitors for privacy reasons.
This is an easy 5-Step Guide to having the privacy conversation with your clients that includes:
• explaining their obligations under the Privacy Act;
• how to remain compliant while meeting their business needs; and
• how to communicate to their workforces.
We have also created a whitepaper with legal expert Shah Rusiti who explains the privacy compliance topic in more detail. Facial Recognition Technology and Australian Privacy Law can be shared with your clients and is available here.
The first step for you and your client is to identify and understand why they want to use this technology over different forms of security. By drilling down into their needs, they can review all possible options and know their choice is meeting their exact requirements.
Businesses all over the world are using facial recognition and COVID tracing technology to not only protect workplaces and workforces from exposure to the COVID virus and resulting impacts but also for the following reasons:
Identify employees and visitors automatically without needing to sign in.
For visitors, guests, or the public generally.
Hands free entry into workplaces without having to touch a keypad.
No alarm passcode to remember or protect.
Easy tracking of arrival and departure times and entry to secure areas. Know who is on the premises at all time for workers compensation and insurance compliance.
Automatic temperature checks with alerts passed onto management.
Know where a positive COVID person has been in your workplace so you can immediately notify contacts and shutdown the affected areas only.
Real time alerts on problem gamblers or barred individuals from clubs and hotels.
The key to increasing privacy and ensuring compliance under the Privacy Act is to keep information collected to a minimum. What information does your client really need? It’s much easier to collect only data that will be used and valuable, rather than store large amounts of unused data that could fall into a breach of the Act for unforeseen reasons.
It is important for your client to be clear about what information they collect and why they are doing so. This will be important when communicating with employees, visitors, and any stakeholders. There should be a good reason for you to collect this information.
To ensure compliance with privacy Laws, companies must understand what they can and cannot do in terms of collecting the information and how it is stored and used.
Privacy statements and policies need to be updated to include Automatic Facial Recognition Technology (AFRT), and then the policies must be tested by a legal professional against the Privacy Act requirements.
Privacy compliance is an essential feature of all businesses today, regardless of whether they use AFRT or biometric technology or not. The Privacy Act and Principles lay out clearly defined rules and obligations which companies must comply with when collecting, using, and storing personal information.
A privacy policy is a statement explaining, in simple language, how companies handle personal information. Your client must have one. It should be clear in setting out how they comply with their obligations under the Privacy Act.
Introducing new technology offers an opportunity to review an organisation’s policies and procedures and enhance its privacy policies and compliance procedures. Doing so, and being able to give staff and customers comfort that appropriate measures are to be taken to ensure their information is secure and will only be used for legitimate purposes, will assist in obtaining consents need for the collection and use of biometric data.
The key to success is to ‘keep it simple’.
AFRT involves the collection of sensitive personal information, so the collection, use, retention, and disclosure of that sensitive information requires consent from
the individual.
In the case of employees, that consent may be contained in employment contracts or it may be obtained in other ways, such as employees consenting to
updated policies and procedures.
The collection of sensitive personal information, such as images generated using facial recognition and other biometric data technology require express consent, either in employment terms or by way of separate consent.
Visitors, customers and other non-staff persons can be asked to give their consent as a condition of entry to an organisation’s premises, but their personal information may only be used for the purposes for which it was collected and should not be retained for longer than
reasonably necessary.
Consent can be given in several ways including:
Taking time to simply and clearly explain an organisation’s reasons for collecting personal information, how it will be used, where it will be stored and for how long and what safeguards will be taken to prevent inappropriate access to that information, are all elements of a properly drafted privacy policy.