By Marc Brown, VP of BioCyte – Digital Identity
Abstract: The combination of the European Union’s Working Time Directive and General Data Protection Regulation are forcing businesses to both accurately track employee time and protect the privacy of employee personal information. Given that biometric scanning solutions are the only way to be certain that specific individuals are checking in and checking out when they claim to be, European businesses must find a way to apply biometrics without infringing on personal rights in order to keep biometric data private. This blog examines the challenges businesses face in properly adhering to these two regulations and how encrypted or tokenised biometrics solution makes it possible to accurately track authenticated employee time through assured digital identity and to keep biometrics data private so that everyone is treated fairly.
Ensuring Employee Privacy Remains Protected in Meeting Conflicting EU Regulations.
Recording Employee working hours is a topic back on the agenda of European organisations. Recent rulings by the European Court of Justice (ECJ) on the case of Federación de Servicios de Comisiones Obreras (CCOO) v Deutsche Bank SAE Case C-55/18 ECJ, declared EU Directives mean that Spanish legislation should require employers to set up a system to record workers’ actual daily working time. The ruling embraces the Working Time Directive 2003/88/EC of the European Parliament and Council. While many European Member States have statutory instruments in place to implement the directory, the factor of recording and retain up-to-date records of working hours have not been adhered to.
The ruling came just as Spain had introduced new legislation to ensure working hours are recorded to overtime is paid. Changes in regional legislation, enforcement of the EU Directive and potential fines, see organisations, reviewing their systems and implementing Time & Attendance solutions. The required records form yet another part of personal data, to be reviewed, stored and protected.
In recording Employee Working Hours, organisations are looking to Biometrics as an accurate method of timekeeping, in assured digital identity. While using a Biometric identifies the unique characteristics of an employee, it ensures they are in the right place at the right time and only that person can accurately record their arrival, departure, and breaks. Weak credentials such as Swipe Cards, Punch Cards & Pin Codes are open to abuse and lead to payroll fraud, in colleagues activating data entries for missing and late employees.
Through assured digital identity, Biometrics increases security, combats fraud and create a quick ROI from savings on payroll, holding another format of Employee Personal Data, comes into conflict with the recently introduced General Data Protection Regulations (GDPR)
GDPR concerns the data protection rights of individuals and organisations who process their personal data. Under GDPR a Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. There is a tiered approach to fines and organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)
Employees now have greater awareness regarding the data their Employer’s hold and can be quick to action their rights where there are concerns on the data security and use. Raw Biometric images can be copied and distributed, once lost a biometric cannot be replaced. Using secure methods of Biometric template encryption and storage ensures templates cannot be reversed to a representation of that Employee’s original Biometric Data. Organisations and Employees raising further concerns can look at methods to implement Biometric Tokenisation, ensuring that the Biometric Data is not stored in an organisations servers and is carried as the secure property of the employee.
In further overcoming the concerns of GDPR, Biometric Data can be used in Digital Identity Assurance for logical access to ensure that only privileged users have access to the Personal Employee Data. What could be seen to be the conflict between two regulations, handled correctly can be implemented to provide the solution?
Download our White Paper on Ensuring Employee Privacy Remains Protected in Meeting Conflicting EU Regulations. Learn more about methods on securing Biometric data for recording working hours in line with Working Time Directives, while ensuring GDPR requirements are met.