Finger print clock in.

Breaston Plants

Anyone know the laws regarding finger print clock in systems?
Thanks

Eric Cartman

you probably have it in your employment contract that its alright.
Most biometric systems are really security conscious and encrypt fingerprints stored etc...

whats your concern ?

Pkiernan

Lot of pertinent info here..


https://www.dataprotection.ie/docs/Biometrics-in-the-workplace/m/244.htm

Twenty Grand

Eric Cartman wrote: »

you probably have it in your employment contract that its alright.
Most biometric systems are really security conscious and encrypt fingerprints stored etc...

whats your concern ?

Most don't store fingerprints, just a few regions of your print that it can use to identify you.

Breaston Plants

Eric Cartman wrote: »

you probably have it in your employment contract that its alright.
Most biometric systems are really security conscious and encrypt fingerprints stored etc...

whats your concern ?

It's not in the employment contract, no concern really, just wondering about the legality of it.

Eric Cartman

Breaston Plants wrote: »

It's not in the employment contract, no concern really, just wondering about the legality of it.

same as the legality of an ID card or a pin code for a door really, its access control / time clocking , it enables employers to verify your presence and is perfectly legal.

GM228

Finger print clock in would count as biometric data which under the Data Protection Act 2018 (the previously linked DP information is out of date) is now considered a "special category" of data and an employer can not use such for clock in without explicit permission from each employee.

check_six

Important in the event of a fire or other emergency to determine who is on the premises too.

Eric Cartman

GM228 wrote: »

Finger print clock in would count as biometric data which under the Data Protection Act 2018 (the previously linked DP information is out of date) is now considered a "special category" of data and an employer can not use such for clock in without explicit permission from each employee.

but its not really biometric data , as a user pointed out above its just reference points, these scanners cannot reconstruct a finger print and do not store even partially complete finger prints on them. Even the points used aren't interchangeable with other scanners and serve no use in a database.

Explicit permission is pretty much granted by you agreeing to set up your account on the scanner, its not like they're getting your prints in your sleep.

GM228

Eric Cartman wrote: »

but its not really biometric data , as a user pointed out above its just reference points, these scanners cannot reconstruct a finger print and do not store even partially complete finger prints on them. Even the points used aren't interchangeable with other scanners and serve no use in a database.

Explicit permission is pretty much granted by you agreeing to set up your account on the scanner, its not like they're getting your prints in your sleep.

The scanner does not need to store the data, but it uses the data to identify you and falls within the scope of the DP Act 2018.

mcmoustache

GM228 wrote: »

Finger print clock in would count as biometric data which under the Data Protection Act 2018 (the previously linked DP information is out of date) is now considered a "special category" of data and an employer can not use such for clock in without explicit permission from each employee.

That's quite interesting. I didn't think it could be considered biometric.

I had assumed that these scanners would read a few points on the finger and store a hash generated from that information. Authentication would then just be a case of comparing hashes. And since hashes aren't reversible, there wouldn't be any biometric data stored - just a the output of a one-way function of biometric data.

I guess the thinking behind this is that even if the finger print isn't stored in a way that can be reconstructed, the hashed data is still a function of an individual's unique finger-print and can identify them. I guess it's not really any different to facial recognition systems - they also just take a few data points and compare those.

GM228

mcmoustache wrote: »

That's quite interesting. I didn't think it could be considered biometric.

I had assumed that these scanners would read a few points on the finger and store a hash generated from that information. Authentication would then just be a case of comparing hashes. And since hashes aren't reversible, there wouldn't be any biometric data stored - just a the output of a one-way function of biometric data.

I guess the thinking behind this is that even if the finger print isn't stored in a way that can be reconstructed, the hashed data is still a function of an individual's unique finger-print and can identify them. I guess it's not really any different to facial recognition systems - they also just take a few data points and compare those.

Finger print scanners apply specific technical processing relating to the physical characteristics of the finger to identify an individual and so satisfies the definition of biometric data for the purposes of the DP Act 2018. How the data is stored etc is irrelevant.

Carawaystick

Ignoring the legalities, is it not a little impractical? if an employee gets a cut or scar or requires a plaster / bandage
let alone has wear or callus on their fingers an alternative method will be required.

Eric Cartman

Carawaystick wrote: »

Ignoring the legalities, is it not a little impractical? if an employee gets a cut or scar or requires a plaster / bandage
let alone has wear or callus on their fingers an alternative method will be required.

you usually train 4 fingers on these units so usually not an issue. cuts and things won't throw them off.

_Brian

We had a mind bending gdpr season few months back.

Person doing the training said there was a serious argument to be made that this was unnecessary personal data being recorded as clock in cam work perfectly well without fingerprint.

I’ve worked in places with it and never had a problem, in those places the folk fighting most were lads who always asked friends to clock them out so they could pop off early.

7aubzxk43m2sni

While the answers regarding storage mean that hackers can't necessarily steal your fingerprint or anything, the point remains that the machine can uniquely identify you by your fingerprint.

I don't see why they're necessary given the abundance of options we have with NFC, and I don't think they should be compulsory.

Eric Cartman

Freya Unkempt Needlepoint wrote: »

While the answers regarding storage mean that hackers can't necessarily steal your fingerprint or anything, the point remains that the machine can uniquely identify you by your fingerprint.

I don't see why they're necessary given the abundance of options we have with NFC, and I don't think they should be compulsory.

Id fobs, tags etc.. can be lost or other people swipe you in with them, NFC on a phone requires a phone thats powered on which may not be allowed in that workplace.

You want a biometric system so somebody else can't clock in and theres nothing to lose or have made up / replace. Doing it with hand scans, facial recognition or fingerprints are the best ways.