Biometric Technology in the Workplace:
Preventing "Buddy Punching"
Special Privacy Edition, Summer 2009
Employers face many challenges in managing the attendance of their employees. Employers who use time card or swipe card systems to track the arrival and departure of their employees may also have to deal with the issue of “buddy punching”. Buddy punching occurs when one employee clocks into a payroll system using another employee’s card, making it appear that an employee who has not actually arrived at work, is in fact at work for the full duration of their shift.
In response, some employers have implemented biometric systems to track employee attendance. These scanners require the employee to scan his or her hand, fingerprint, or voice in order to clock in and out.
Some employers who have implemented such technology for attendance monitoring have faced challenges from employees who felt that the system infringed upon their privacy. For example, in Investigation Report P2008-IR-005, a recent decision of the Alberta Office of the Information and Privacy Commissioner, an employee challenged her employer’s ability to implement a thumbprint scan system to track attendance. The employer, the Empire Ballroom, fell under Alberta’s Personal Information Protection Act (“PIPA”).
PIPA sets out the provisions under which private sector organizations in Alberta may collect, use or disclose personal information. Under PIPA, employers do not require the consent of their employees to collect, use or disclose personal employee information if the employer meets certain conditions. These conditions require that the employer’s purpose for the collection of the personal information must be reasonable, that the information collected relate only to the person’s employment, that the employer notify the employee that the information will be collected and of the purpose for the collection.
The Empire Ballroom had informed its employees that it would be implementing a thumbprint scanning system for attendance monitoring purposes. However, it failed to inform the employees that the thumbprint scanner did not retain an actual “thumbprint”, but rather a unique number identifying the employee. This unique identifier is still considered to be personal information under PIPA since it can be linked with and identify an individual.
A similar decision (Investigation Report F2008-IR-001) permitting the use of a handprint scanner was also made under Alberta’s legislation governing public body employers, the Freedom of Information and Protection of Privacy Act.