By Lusanda Raphulu Thursday, August 13, 2009

With the advantage of technology, employers have the option of installing fingerprint scanners to monitor and track their employees’ activities in the workplace, and to monitor door entry and computer access. Generally, fingerprint biometrics works on the following basic principles: a fingerprint is scanned and the extraction algorithm used in the software recognizes unique points of the person's fingerprint. Based on these points, the software creates a string of numbers, commonly referred to as a biometric identity template, which is then assigned to this fingerprint only. Generally, biometric identity templates that are created and stored cannot be reconstructed into the fingerprint images, so even if the system was tampered with by someone meaning to access the identity data of employees by breaking into the system, they would only find useless strings of numbers, as no image of any fingerprint is ever stored within the system.

In these circumstances, would an employer require an employee’s consent to collect their fingerprint? Every employee has the right to privacy as contained in section 14 of the Constitution. However, our courts have recognized that as a person moves into communal relations and activities such as business and social interaction, the right to privacy is watered down to some extent. At present, except for the common law and an individual’s constitutional right to privacy, there is no data protection legislation in place in South Africa. The Protection of Personal Information Act (“POIPA”) is a draft bill, which seeks to regulate the processing of personal information in South Africa. The term “personal information” is defined very widely in POIPA, and includes a person’s fingerprint. POIPA seeks to regulate the processing of personal information, which includes collection, recording, storage, and use of personal information. POPIA recognises that consent is one of the bases upon which personal information may be lawfully processed, but consent is not the only ground.

Although POIPA does not have the force and effect of law, employers should be guided by its provisions when dealing with employees’ personal information. In these circumstances, employers should obtain their employee’s informed consent prior to collecting their fingerprint. Employers should inform their employees inter alia of the specific purpose for which their fingerprint is being collected, and who would have access to such information. Employers should explain to employees how the system will work and what information will be stored on the system. In circumstances where only biometric identity templates are stored on the system, as opposed to actual images of employees’ fingerprints, employees should be advised of this. Employers must ensure that the information collected is only used for the purpose for which it was initially collected. As records of personal information should not be kept in a form which allows an employee to be identified for any longer than is necessary to achieve the purpose for which the information was initially collected or subsequently processed, unless the employee has authorised its employer to retain the record, the employer should destroy such record after the expiry of the necessary statutory period.