Israel’s privacy watchdog has published a draft document outlining guidelines and rules organizations and businesses should keep in mind when using biometric systems to monitor employee attendance at the workplace.
The Collection and Use of Biometric Data at the Workplace policy paper was published by the Israeli Privacy Protection Authority (PPA) in July as a response to increasing privacy concerns about biometric identification technology used for access control and supervising work hours. The public can submit their comments on the draft until August 18.
Among some of the key points of the document is the need for employers to justify the proportionality of using biometric systems and balancing legitimate interests against employee privacy. The collection of biometric data must be based on free informed consent.
The agency also provides a ranking of preferred alternatives for managing employee attendance. In regards to biometrics, the documents recommend that data is stored in a decentralized way, for example on smart cards, instead of a centralized database owned by the employer.
Employers using biometric attendance systems should register a database with the Privacy Protection Authority and need to provide sufficient details, including purposes, name of the individual in charge, where data is stored, security measures, potential risks, employee access and rectification rights, retention, how data can be removed from the database and third party recipients.
The document also outlines other procedures for handling biometric data, such as data minimization. Employers are expected to use databases only for the specific purpose for which it was collected and delete any biometric data that is no longer required, such as those from employees who have quit or have retired.
The draft policy paper is an update to the Israeli Privacy Protection Authority previous paper from 2012.
Data privacy, particularly relating to biometrics, has been a recurring issue in Israel, between a massive government database of citizens’ faces and fingerprints and the suggestion late last year by the state comptroller that the IDF’s privacy protocols are obsolete.