|
| Privacy Impact Assessment |  The Data Protection Commissioner cannot give a general approval or disapprobation of biometric systems. Each system must be evaluated in respect of the situation in which it is used. A case-by-case judgment is required. With that in mind, the Commissioner encourages employers to take the above guidance into consideration before introducing any biometric system.
Before an employer installs a biometric system, the Data Protection Commissioner recommends carrying out a documented privacy impact assessment. An employer who properly conducts such an assessment is less likely to introduce a system that contradicts the provisions of the Data Protection Acts 1988 & 2003. This is an important procedure to adopt as a violation may result in action against an employer taking by the Commissioner. Or it may expose an employer to a claim for damages from an employee.
Some of the points that might be included in a Privacy Impact Assessment are:
• Do I have a time management and/or access control system in place?
• Why do I feel I need to replace it?
• What problems are there with the system?
• Are these problems a result of poor administration of the system or an inherent design problem?
• Have I examined a number of types of system that are available?
• Will the non-biometric systems perform the required tasks adequately?
• Do I need a biometric system?
• If so, why kind do I need?
• Do I need a system that identifies employees as opposed to a verification system?
• Do I need a central database?
• If so, what is wrong with a system that does not use a central database?
• What is the biometric system required to achieve for me?
• Is it for time management purposes and/or for access control purposes?
• How accurate shall the data be?
• What procedures are used to ensure accuracy of data?
• Will the data require updating?
• What constitutes an abuse of the system by an employee?
• What procedures shall I put in place to deal with abuse?
• What legal basis do I have for requiring employees to participate?
• How will the information on it be secured?
• Who shall have access to the data or to logs?
• Why, when and how shall such access be permitted?
• Does the system used employ additional identifiers (e.g. PIN number, smart card) along with the biometric?
• If so, would these additional identifiers be sufficient on their own, rather than requiring operation in conjunction with a biometric?
• How shall I inform employees about the system?
• What information about the system need I provide to employees?
• Would I be happy if I was an employee asked to use such a system?
|
|
