Care charity forcing staff to sign in using fingerprints may be breaching law

Residential care staff are being forced to sign in every hour using fingerprints and photographs - a policy that may be against new EU law.

A national care charity – Community Integrated Care (CIC) – is subjecting its staff to such a degree of surveillance that they are unable to care for vulnerable people properly, according to the trade union Unison. 

CIC employees are reported to have expressed concern at the introduction of a new sign-in system which involves signing in every hour using a biometric fingerprint scanning system.

Workers have started a petition after the hi-tech clock-in machine identifies staff by their fingerprints and photographs them each time they sign in or out.

Staff who work through the night are required to sign in every hour, which the union says can interrupt them attending to people in their care.

The new system was introduced despite strict new guidelines on biometric data under the new GDPR data protection law, which came into effect last Friday.

LFF understands that workers have not been asked for their consent for their biometric data to be used by CIC.

UNISON assistant general secretary Christina McAnea said:

“There’s real concerns that CIC is already breaking all the rules [on GDPR].

“CIC has neither asked for, nor received consent, for anyone’s biometric data to be used, and staff are worried this could be the thin end of the wedge.

“For residential care staff, the requirement to sign in every hour makes it hard for them to get on with their job. Staff want to be able to respond to the needs of the people they care for, not the requirements of a machine. CIC should have more trust in their employees and allow them get on with their work.”

The new system appears to sit uncomfortably with the law.

As LegalICT.com reports:

“Automated monitoring and recognition of employees’ facial features and expressions, is generally considered unlawful. Using biometrics for access control in the workspace, such as facial, iris, or finger print scanners, appears problematic as well, as employers cannot rely on consent, and no other exception to the general prohibition to process biometric data appears applicable…

“Most regular companies will need consent of the data subject to process biometric data.”

GDPR:Report, a leading website on the new legislation, states even more clearly:

“Processing biometric data for the purpose of uniquely identifying a natural person is prohibited without the consent of the data subject.”

When initially approached for comment, a spokesperson for CIC told Left Foot Forward:

“Since its introduction…[the biometric monitoring system] has positively transformed the way we create rotas, capture the hours’ worked by colleagues and evidence the services that we deliver…

“Our charity previously paid its colleagues using manual, paper-based processes. This was not only time-consuming for managers, but could also be prone to human errors that resulted in our staff not always being accurately paid for the work that they deliver…

“We are sorry to hear that some staff have raised apprehensions about this system and would welcome the opportunity to meet with them, to address their concerns.”

LFF then presented the GDPR guidelines on biometric data.

A spokesperson for the organisation responded:

“Community Integrated Care’s use of biometric data is in line with the GDPR. Biometric data is specially protected in that organisations have to satisfy specific conditions in order to process it without consent.

“As the data is used to pay our colleagues, which is for the purposes of us carrying out our obligation as stated in contracts of employment, we are in line with Article 9 (2) of the GDPR.”

Article 9 (2) of GDPR states that biometric data collection is acceptable if ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment’.

However, it is unclear that biometric data is necessary in order to pay employees, given that few organisations rely on biometrics for clocking in.

A statement from the Information Commissioner’s Office given to Left Foot Forward suggested the scheme may indeed be unlawful, as ‘freely given consent can be difficult to obtain in a workplace where employees may not have a clear choice’.

A spokesperson for the ICO said:

“Biometric data, including fingerprints, are classed as special category personal data under new data protection laws.

“Organisations are prohibited from processing special category data unless they can satisfy one of 10 conditions, including obtaining individuals’ explicit consent.

“Projects of this type, that use biometric data, are likely to result in a high risk to individuals. Organisations are required to conduct data protection impact assessments before starting a project.”

The organisation urged concerned staff to report their issues to the ICO.

CIC has now confirmed to LFF that the organisation will be continuing to use the controversial biometric system, despite concerns from workers.

Josiah Mortimer is Editor of Left Foot Forward. Follow him on Twitter.

Image: US Air Force scanner.

Comments are closed.