Tuesday, November 13, 2012

France severely limits biometrics for time-and-attendance

No biometrics to control working hours (CNIL)
October 23, 2012
In recent years, the control techniques employed in their workplaces have experienced unprecedented growth, including through the use of biometric devices. Therefore, the CNIL wished to obtain the opinion of trade unions and employers, the General Directorate of Labour as well as some professionals, the use of this technology. The issue of biometrics as a tool for management and control of attendance zones has been analyzed under the Data Protection Act and in accordance with the Labour Code.
The Commission has always been vigilant about biometrics. They have the peculiarity of being unique and permanent, because they identify an individual from its physical, biological or behavioral (eg fingerprint, hand contour). They are not assigned by a third party or by the person chosen. They are produced by the body itself and the means permanently thereby allowing the "tracing" of individuals and their identification.

The sensitive nature of these data that explains the Data Protection Act provides a specific control of the CNIL essentially based on the proportionality of the device in relation to the objective sought, such as time management.

On 27 April 2006, the Commission adopted a single authorization for the implementation of biometric recognition based on the contour of the hand with the purpose of access control and time management and restoration of the site work (AU-007).

Following more than a dozen hearings, consensus is clearly expressed to consider the disproportionate use of biometrics for control schedules.

Therefore, the Commission has decided to modify the TO-007 in that it allowed the use of the hand contour for time management. now, no single authorization are used to control the schedules of employees by a biometric device.

Transitional measures
Organizations that already use this device to control schedules and staff who have made ​​a commitment to comply before the publication of this new debate will continue to use it for a period of five years. After this time, they will stop using the biometric feature, which will not involve systematically changing hardware. Organizations can indeed set the system to inhibit the function and use biometric instead, codes, cards and / or badges without biometrics. The CNIL has informed individually organizations having previously sent a commitment to comply with the AU-007.

However, devices contour of the hand can still be used to control access to the premises or manage the restoration of the workplace. These treatments will continue to be a commitment to comply with the AT-007
The fact install a biometric device for purposes other than those covered by the AU-007 will give rise to requests for specific permission, which will be considered on a case by case basis by the Commission. [ed. Translation by Google; Emphasis in original]
See also: No more single authorization of the CNIL can now monitor employee schedules by a biometric hand recognition.

It seems that France has placed some limits on biometrics for time-and-attendance, preventing new adoption   and requiring a five-year phaseout for those who are currently using the technology.

CNIL explicitly okays biometrics for physical access control.

No example of actual "tracing" or violation of privacy is mentioned in the statement.

It appears the CNIL has preserved by law a certain degree inefficiency in the French labor market — inefficiency that biometric technology can help reduce. So far, this is the only case of its kind that I'm aware of.

Oh well, vive la différence.

h/t:
PogoWasRight.org
@M2SYS