Biometric Door Entry used as clock-in/clock-out without permission?

LegacyUser

Hi all. I work for a company with multiple sites. Our site is the only office that has a biometric reader on the door to allow access. It was first installed to avoid issuing unnecessary volumes of keys/etc. We did not sign anything specific to this when installed.

It has now turned out that at least 2 of my colleagues have had reports shown to them of their times of entry/leaving to highlight possible problems. Ignoring the fact of whether or not the person in question was starting late/taking long breaks/etc, it did raise a query with some of us here - is your employer allowed use such a device as a de-facto clock-in/clock-out device, without telling us? Should we have to sign something to use such a device for this purpose?

Does anybody have any experience on such a query? Any feedback would be appreciated.

dennyk

Are they paid hourly and if so, is the building access system actually being used as a time clock to determine their hours worked? If so, that's probably fine as long as they are aware of it and their hours worked are being correctly tracked. If they are performing work outside of the building that's not being counted as time worked because of that system and hence they aren't getting paid for that time, that would be an issue the company would need to address, though.

If they are salaried, or if their hours worked is being tracked via some other system, and the company is just tracking their comings and goings via the access system, that's certainly allowed; the company has every right to monitor who is accessing their building and when, and if those access logs indicate that some employees are not following company policy regarding start times or breaks or whatnot, the company is within their rights to address those matters with the employees in question, just like they could if their boss noticed on his/her own accord that an employee has been showing up late or taking extended breaks. (In fact, using the access system logs gives the company a stronger position for disciplining the employee in question, given that they have clear and unbiased evidence of the nature and scope of the policy violations rather than just some other employee's say-so...)

colm_mcm

I'd imagine this is just the same as reading an access control panel's data.

wench

I would think there are data protection issues in using the data for a purpose other than that which was originally given.

If it was intended at the outset, or decided upon later, to use the security data for timekeeping, that should have been communicated to the staff.

See here for info on fair collection and use of data
https://www.dataprotection.ie/docs/Data-Protection-Rule-1/23.htm

runawaybishop

dennyk wrote: »

If they are salaried, or if their hours worked is being tracked via some other system, and the company is just tracking their comings and goings via the access system, that's certainly allowed; the company has every right to monitor who is accessing their building and when, and if those access logs indicate that some employees are not following company policy regarding start times or breaks or whatnot, the company is within their rights to address those matters with the employees in question, just like they could if their boss noticed on his/her own accord that an employee has been showing up late or taking extended breaks. (In fact, using the access system logs gives the company a stronger position for disciplining the employee in question, given that they have clear and unbiased evidence of the nature and scope of the policy violations rather than just some other employee's say-so...)

Absolutely not, data must be used for the purpose for which it is gathered initially - in this case it is used for security. If they wish to use it for time tracking then the employees must be notified.

If a data controller has information about people and wishes to use it for a new purpose (which was not disclosed and perhaps not even contemplated at the time the information was collected), he or she is obliged to give an option to individuals to indicate whether or not they wish their information to be used for the new purpose.

Similarly a security camera cannot be used to track when people are entering or leaving work etc for the purposes of timekeeping unless this is specifically called out.

goodlad

Similar issue came up in a company i previously worked for.
There was no official clockin system and door swipes were used as evidence that some employees were always late and leaving early.

I dont know specific details but some calls were made to the data protection Commissioner and very soon after the whole thing was dropped by the employer.

garhjw

runawaybishop wrote: »

Absolutely not, data must be used for the purpose for which it is gathered initially - in this case it is used for security. If they wish to use it for time tracking then the employees must be notified.

If a data controller has information about people and wishes to use it for a new purpose (which was not disclosed and perhaps not even contemplated at the time the information was collected), he or she is obliged to give an option to individuals to indicate whether or not they wish their information to be used for the new purpose.

Similarly a security camera cannot be used to track when people are entering or leaving work etc for the purposes of timekeeping unless this is specifically called out.

It could be a security issue if the employee is not on site when they are supposed to be.

ArthurG

garhjw wrote: »

It could be a security issue if the employee is not on site when they are supposed to be.

It doesn't matter. As pointed out above, personal data, which now includes biometrics, can only be used for the purpose it has been collected for. If the controller of that data wishes to use it for another purpose, they must obtain consent, and that request must be unambiguous (i.e. no corporate speak, state clearly what it will be used for).

Giblet

Get people to let you in and walk behind people leaving.