March Congruity Q&A: Biometric Timekeeping Procedures

Question:

What procedures should we have in place for our biometric fingerprint scanning timekeeping device?

Answer:

Biometric systems for authentication, security purposes, and timekeeping are increasingly being used by employers. However, the use of biometric data in the workplace is still fairly new and the laws are still catching up. While there is no comprehensive federal statute in place that specifically addresses the use or disclosure of an employee’s biometric data, there are federal statutes in place that address related privacy and data security protections.

For example:

• Health Insurance Portability and Accountability Act (HIPAA) addresses requirements for protecting individually identifiable health information (IIHI) and protected health information (PHI) (although PHI does not include employment records held by an employer). 
• Genetic Information Nondiscrimination Act (GINA) prohibits employers from requesting, requiring, or buying an employee’s genetic information or that of an employee’s family member.
• Fair Credit Reporting Act (FCRA) imposes certain requirements and restrictions on employers conducting background checks.

• ​Illinois passed the Biometric Information Privacy Act, which applies to all private employers and sets forth how private entities may collect, store, and use biometric identifiers such as retina scans, fingerprints, or voiceprints.
• New York expressly prohibits employers from requiring employees to be fingerprinted as a condition of employment.
• Texas’ Business and Commerce Code, which applies to all private employers, includes a section regulating the capture and use of biometric identifiers.
• ​Washington passed similar legislation to Illinois and Texas restricting the use of biometric information.