The Hong Kong Privacy Commissioner for Personal Data recently issued a guidance note entitled "Guidance on Collection of Fingerprint Data" to provide guidance to data users on how to comply with the Personal Data (Privacy) Ordinance when collecting fingerprint data. The Guidance Note elaborates on a guidance note published by the Commissioner in 2007 in light of the Commissioner’s views adopted in relation to numerous enquiries and investigations relating to the collection of fingerprint data since the 2007 Guidance Note was issued.
Decreasing costs of technology have led to an increase in the collection of fingerprint data (e.g. to record attendance or permit access to premises). While the Ordinance does not expressly distinguish between ‘sensitive data’ and other categories of personal data, the Commission has on many occasions made reference to the sensitive nature of fingerprint data (given the uniqueness of such data and the gravity of harm that could arise as a result of its misuse). The main recommendations contained in the Guidance Note are discussed below.
Does fingerprint data constitute personal data?
Personal data is defined under the Ordinance as data relating to a living individual, from which the identity of the individual may be ascertained, and which is in a form capable of being accessed/processed. Where it is possible to identify an individual by linking fingerprint data with another database or other information, such fingerprint data will constitute "personal data" and the collection and use of such data will be regulated under the Ordinance.
Has there been a collection of personal data?
Not all cases involving fingerprint data will constitute the collection of personal data. For example, where an employer installs a fingerprint recognition system, which stores the fingerprint data on a smart card held by an employee, with the employer not holding or having access to a copy of such fingerprint data, this will not constitute a "collection" of personal data and therefore the Ordinance will not apply. This is something that was not addressed in the 2007 Guidance Note which appears to have been drafted on the assumption that the collection of fingerprint data would necessarily involve the collection of personal data.
What are the requirements when collecting fingerprint data
The following requirements apply to the collection of fingerprint data:
· Such data should only be collected for a lawful purpose directly related to the data user’s functions or activities (e.g. the control of access to high security areas by permitted personnel);
· Such data should only be collected if it is necessary and not excessive for the purpose for which it is collected (e.g. fingerprint scanners may not be necessary for recording attendance if this can be done by some other means).
· The individual must be provided with the following information: whether it is mandatory or voluntary for them to provide the fingerprint data (and the consequences of failing to do so); the purpose for which the fingerprint data may be used; who may access the data and under what circumstances; the potential transferees of such data; whether such data could be used to take adverse action against the individual; and the individual’s right to access/correct the fingerprint data.
Privacy Impact Assessment
A privacy impact assessment should be carried out to evaluate whether the collection of fingerprint data is necessary and not excessive in the circumstances. While this recommendation was made in the 2007 Guidance Note, the recent Guidance Note contains a more detailed description of the relevant considerations when conducting a privacy impact assessment, and specifies that such assessment should involve the evaluation of the following issues:
· What need is served by collecting fingerprint data?
· If there is already a system in place designed to meet that need, what is wrong with that existing system?
· Can the problem with the existing system be remedied by means other than collecting fingerprint data?
· Is there an alternative method or system that can be used to meet the purpose without having to collect fingerprint data? If so, what are the reasons for not using this alternative system?
The Commissioner commented that less privacy intrusive methods usually exist for the purpose of recording attendance and restricting access to premises, in which case these alternative methods should be utilised instead of collecting fingerprint data.
Where fingerprint data is to be collected from a large number of individuals, the potential harm caused by misuse increases, and accordingly a stronger justification is required to collect such data. The Commissioner has made it clear that he will be extremely critical of the collection of fingerprint data from school children or individuals who are incapable of managing their affairs, due to the vulnerability of such people. The Guidance Note also recommends that the continuous and widespread use of fingerprint scanners (e.g. in all accessible areas in a workplace, including washrooms) should be avoided.
Free and informed choice to provide fingerprint data
Individuals should be given a choice as to whether to provide fingerprint data, after the privacy implications of such collection have been explained to them. Where an individual has made an informed choice to provide such data, the Commissioner will not usually interfere (unless the individual does not possess the mental capacity to understand the privacy implications, or where there has been undue influence etc.).
It is recommended, for evidentiary purposes, that written consent is obtained from individuals before collecting/using their fingerprint data. Wherever possible, the individual should be provided with a less privacy-intrusive option when asked to provide consent.
Implications for business
Before organisations collect fingerprint data they should carry out a privacy impact assessment and should generally only collect fingerprint data where there is a real need that cannot be met by using less privacy intrusive means. Where the collection of fingerprint data constitutes a collection of "personal data" (as defined in the Ordinance), organisations should comply with the requirements in the Ordinance when collecting, using and storing such fingerprint data. A failure to do so may lead to an investigation by the Privacy Commissioner and an enforcement notice being issued against the organisation.