Every company needs to consider access control carefully. The movement of people in and out of a company’s premises should be controlled so that only authorised people can access specific areas.
Biometric identification has become integral to access control and security in many countries and companies. From facial recognition cameras in casinos, which push some players to seek out online options on casinos.com instead, to fingerprint recognition to unlock a door, biometrics can ensure greater levels of security.
While biometrics are an asset for company security, many have questioned whether using such systems is an invasion of employee privacy. These concerns are typically rooted in the company’s need to store employee biometric data in order to validate it. In this article, we’ll examine this issue in depth and examine how biometrics work, employees’ issues with them, and what the law says.
Types of Biometric Access Control
Although identifiers like these were used in ancient civilisations, it wasn’t until the new millennium that they gained traction as a form of access control. Since then, biometric security functions have evolved rapidly.
Three primary forms of biometric access control are commonly used, along with a fourth that is less common.
Fingerprint Recognition
The most widely used form is fingerprint recognition, which matches a person’s fingerprint with one on file. It is so popular because it is one of the simplest forms of biometric data to obtain and is relatively cost-effective.
Facial Recognition
Facial recognition is gaining popularity in high-security areas due to its contactless identification. It uses a face map to store distinct features of a person. These are then matched against a camera feed to identify whether someone is allowed access.
Iris Scanning
As one of the more complex forms of biometrics, iris scanning has moved from science-fiction movies to reality. It is one of the most accurate forms of biometrics and is, therefore, widely used in companies that require stringent security, such as data centres.
Voice Recognition
The final and least utilized biometric method is voice recognition. Because it is harder to authenticate the waves of somebody’s voice, this biometric data is only used in specific situations and normally as a secondary form of identification alongside one of the biometric data points above.
Concerns Over Biometric Data Usage for Access Control
Despite being ideally suited for use as a form of access control, there have been numerous instances where concern over this practice has been voiced. These concerns have valid arguments but have done little to dissuade companies from using the technology.
Data Breaches
Among the most frequently voiced concerns relates to the security of biometric data in data breaches. This information, classified as highly sensitive, needs to be stored by companies to be validated against.
If a company does not have proper security measures in place, this information could be stolen in a data breach, providing criminals with sensitive information. This, in turn, can be used for dubious purposes, often with the party it affects not knowing about it until later on.
Tracking
Another common concern is the ability to track employees using this data. Many employees prefer to keep their work lives separate from their daily dealings outside of work and enjoy their privacy when doing so.
Companies have access to their biometric data, and instances of abuse of this access may easily arise. This data can be used not only to track employees (including how they move around within a company) but, if linked to other identification systems, to surveil people outside of work.
Identity Theft
The most prominent concern over biometric access control is the possibility of identity theft. As with instances in which the data is stolen through a breach, biometric information can be accessed by others within the company, leading to cases where this access may be abused.
This could lead to identity theft, where the real identity information is falsely used to open accounts, build debt, or even commit crimes under the name of an innocent party. This is all done without the consent or awareness of the person the information belongs to.
What the Law Says
In India, two primary laws directly and indirectly deal with biometric data security. These laws ensure that information is stored securely and also assign the responsibility for keeping this data safe to the employer.
Information Technology Act of 2000
While not explicitly mentioning biometric information, the Information Technology Act of 2002 outlines the framework for almost all cyber law in the country. Section 43A of the law specifically mentions sensitive personal data or information—a category under which biometric information falls.
Under this section, companies are required to maintain reasonable information security and ensure that proper procedures are in place to prevent unauthorised access to this data. Many have applied this law directly to biometric details and companies that use them for access control.
Digital Personal Data Protection Bill of 2023
Proposed in 2019 as the Personal Data Protection Bill, the Digital Personal Data Protection Bill was written into law in 2023 after numerous revisions. Working to classify how companies should engage with sensitive information, the bill expressly mentions biometric data and how employers must safeguard it.
In addition, the bill outlines the need for express consent to obtain and use this information, instils limits on its use, and gives employees rights regarding the data stored. It also establishes a Data Protection Board that oversees the bill and ensures its enforcement.
Is Biometric Access Control an Invasion of Privacy?
The answer to this question is complex and needs to take into account various factors. Biometric access control is one of the best options for many companies to ensure only authorised access to specific locations. However, the company must fulfil a much greater responsibility to ensure that employee biometric data is stored safely.
With the passing of the Digital Personal Data Protection bill, the government has also stepped up to reassure people whose data is collected. While some may still see the collection of this data as an invasion of privacy, if the law works correctly, this information should be secure and have minimal effects on personal privacy while boosting the ability of companies to stay secure.