LALIT has pleasure in reproducing in toto the important Findings by the Data Commissioner against Clavis Primary School, including Philippe Forget one of the Board Members, for sacking a teacher-trainer, Mrs. Amanda Jones, because she refused to submit to finger-printing technology for the purpose of attendance at work. The Police have been asked to act against the school for breach of the law. Readers will recall that the Alteo sugar estate bosses have also lost a similar case, and have appealed. Their case is referred to in the Judgment.
LALIT commends Ms. Jones on her principled stand, and on her bravery and persistence in bringing her employers to account. This judgment will help us in the struggle that LALIT has been, and is still, spearheading, against the use of finger-printing and other bio-metric data for the new ID card and its centralized data base.
Here is the judgment:
IN THE MATTER OF:-
Complainant:- Mrs Amanda Jane Jones
Respondent:-The Chairman of the Board of Prokid [Clavis Primary School]
A complaint was lodged on 9th August 2013 at the Data Protection Office under section 11 of the Data Protection Act against Respondent by Complainant as follows:-
“I was dismissed from my employment for insubordination tantamount to defying the authority of the board for writing a letter stating I was not prepared to provide the school with my fingerprint for the purpose of attendance even though I stated that there was no law in Mauritius compelling me to do so and I offered to use a sign-in book.”
The complainant has also filed a statement which reads as follows:-
“I am an extremely private person and I find this method of monitoring attendance intrusive and invasive. I also have deep concerns about the security and storage of the data. I have objected to using this system in other international schools and have always been provided with an alternative.
I told the headmaster I would not give my fingerprint. Subsequently, I received a letter of warning requesting me to do so and I was required to speak to two members of the Rogers Human Resource Team to find out why I would not comply. I received a second letter with a number of misinterpretations about what I had said during the meeting and a further request to comply with the system. I contacted the Data Protection Office and was informed that there was no Mauritian law compelling me to give my fingerprint. I also sought legal counsel and was also informed that I could not be compelled to give my fingerprint and I was not contractually obliged to do so.
I wrote a letter stating the above and offered to use a sign in book as an alternative. I also asked for further questions to be put in writing so I could answer in writing to ensure an accurate interpretation of my answers. In response I received a letter of suspension and was asked to appear before a disciplinary committee on Monday 3 June 2013 to answer a charge of “insubordination tantamount to defiance of the authority of the board.” I contacted the DPO again and an inspector wrote to the school informing the headmaster about the position of the DPO on the issue of fingerprint personal data for attendance purposes.
At the hearing I was represented by legal counsel who had advised me prior to the hearing that even though the law was on my side, the board may still very well dismiss me. The school was represented by legal counsel and the headmaster, Mr Nicholas Hamer and a board member, Mr Philippe Forget. At the meeting the headmaster was asked if there was anything wrong with the quality of my work. He responded that there was not. He was also asked if I was late. He responded that I was not. When my counsel raised the issue of it being an unlawful order as indicated by the DPO’s position on the matter, the school’s counsel said the DPO was wrong.
Following the hearing, I received a letter of dismissal stating that the charges against me, the employee, stood proved, that I had been insubordinate in my letter dated 20th May 2013 and that I was in defiance of the authority of the board. According to the letter, I had wilfully refrained from abiding by lawful instructions given both verbally and in writing by the headmaster, thereby undermining both his lawful authority and that of the board. I was summarily dismissed. I received no severance pay. My medical benefits were terminated and I had to return the car which had been part of my contract.
I believe that what the school did was unjust. The school representatives have made a mockery of Mauritian law and dismissed me because I would not follow their order stating I had “wilfully refrained from abiding by lawful instructions.” Yet the order I was given was not a lawful one. Even after the Data Protection Office clarified their position, the school representatives chose to flout the law. I believe that what happened to me was a form of bullying designed to intimidate the rest of the staff and discourage them from speaking up about issues in the future….”
Respondent was convened at this office on 15.08.2013 but attended on 20.8.2013 after a request for postponement. They took note of the complaint and were requested to give their statement based on a list of questions submitted to them. They requested that they will consult their legal adviser before submitting their statement form which is as follows:-
“State the purpose for which the fingerprint machine is used?
The fingerprint machine is used for the administration of the school and for safety and security purposes.
As regards administration of the school, it is not only intended to monitor attendance (absences and lateness) but it is also an efficient and effective tool for management of payroll (overtime/local leaves/sick leaves etc.).
As regards safety and security, it is an effective tool not only for the school but also for the rescue authorities. By the availability of readily accessible and accurate information as to the persons present at the material time, it will allow a quick and efficient reaction in case of emergency and dangerous incidents. For example, we shall be in a position to ensure that everyone have been gathered in our 'sanctuary' (A set of rooms where the whole school can gather and which is sealed off from the outside - recommended and partially financed by the American Embassy).
As an international school, we are duty bound to apply the highest standards for security of the persons.
Do you have the consent of employees to give their fingerprint? Verbal or Written?
At the time we resorted to fingerprint machine, we have ensured that all our staff has been provided with the required information and consent to the use of the fingerprint machine. Out of our 80 employees, 78 have consented verbally. The fingerprint machine is used by such employees since January 2013.
Has the school made it compulsory for employees to give their fingerprint in 2013(the new finger print machine)?
In view of Management decision not to provide alternative mode of recording time, it has been specified that it was compulsory to comply with Management legitimate request to record time. Such decision had to be taken in as much as, at the time the previous machine was in use, a small group of persons had opted for signature of attendance books and has been abusing such system (false entries etc.) thus jeopardising both the administrative and the security benefits.
Sections 221 & 222 of the Criminal Procedure Act gives the police the authority to take fingerprints. Do you think an employee can be forced to give their fingerprint for attendance purpose only?
An employer cannot force an employee to abide by its legitimate request. However, refusal to comply with such request does have legal consequences.
Can you provide a less intrusive means for attendance? e.g sign in book .
We did, prior to 2013, provide for attendance books for the persons who opted not to use the fingerprint machine but, as stated above, there has been abuse. We have also considered 'swipe' cards as alternative but such system suffers from the same 'defects' as the attendance books. Furthermore, such systems will not achieve the safety and security end.
If no, why do you refuse to provide a sign in book as an alternative for non- consenting employee/s?
Same as above
What other reasons you require the fingerprints of employee?
Apart for safety and security and administrative purposes as described above, there are no other reasons.
Is the system linked to a payroll system?
The system is meant to be linked with the payroll system but it is not yet as the machine is still on a consistency trial.
The supplier to provide explanation of what data is stored in the fingerprint machine. Is it the image of fingerprint or only a template of it? How many fingerprints per persons do you keep? How do you register a person fingerprint? Can the fingerprint machine accept other type of employee identification for e.g a bar coded employee card? Who administers the system at the school?
The data stored in the fingerprint machine is the image of a fingerprint.
Only two fingerprints per persons are kept (One from the left hand and one from the right hand) Upon registration, a number is assigned to the user and his name of the user is entered. Such user apposes his finger onto the machine which scans his fingerprint.
The fingerprint machine accepts pin codes. IT Administrator administers the system.
What security system have you put in place to protect the data? Describe.
The data is solely stored on the machine. Only the It Administrator and the supplier may access the system by using their own fingerprint as 'key'.
Furthermore, all doors from which we can have access to the machine are double locking doors and the whole premises are equipped with an alarm system. There are also security guards from Caudan High Security Guards on duty on the premises 24 hours a day when the school is closed and otherwise the guards arrive as the school closes in the afternoon and stays overnight until the maintenance officer arrives the following morning.
What is the security around the storage of the data? Is the finger print template or data stored locally to the machine or on a server?
Access to the 'Menu' of the machine (for configuration and registration) can only be done by our IT Administrator via his own fingerprint. Apart from our IT Administrator, only the supplier can access the system again via the use of fingerprints. The data is stored locally to the machine.
What are the access controls in place to access the system?
Only a restricted number of persons may access the system by the use of their own fingerprints. Internally, it is only our IT Administrator. Externally, it is only the supplier which can access the system.
Such access is made through the own fingerprint of such persons.
Did you take only sign in or both sign in and out of employees?
Employees, including myself, are requested to sign in and out.
The role played by Rogers HR team in the discussion with the complainant? A third party?
The complainant, together with another staff, had concerns/grievances as regards the use of the fingerprint machine. It should be noted that none of the said concerns/grievances were related to the use of personal data, privacy or data protection. It had been decided to have recourse to the services of an independent expert in HR in order to provide the board with an expert opinion, the more so that the complainant was part of the management.
Is there any policy to access the system and/or to keep the data updated?
Apart from the IT Administrator and the supplier, no staff can access the system.
Our policy as regards access to the system is that only the IT Administrator is allowed to access the admin 'Menu' for limited purposes i.e. registration and deletion of users and time update if necessary.
What measures are in place when employees leave the organisation regarding fingerprint?
Our IT Administrator has the duty to permanently delete any personal data pertaining to such employee.
What would happen if the system is not functioning one day? Is there any contingency in place? Describe.
We will have no alternative that to revert temporarily to the sign-in manually system with its flaws.
What balance do you make with the convenience of the fingerprint machine and the Data Protection Act on the other hand?
The use of the fingerprint machine is necessary as an effective tool not only for the benefit of the employer but also for the employee (payroll/bonuses etc.). We are of the view that the use of the machine falls within the province of the 'pouvoir de l'employeur' pursuant to the contract of employment of the staff. Even if we are of the view that the consent of the staff was, therefore, not required, we have nevertheless ensured that it is obtained.
Do you consider that Section 26(c) of DPA has been breached?
We are of the opinion that the use of the fingerprint machine is an adequate, relevant and not excessive mean to achieve our aim that is the safety and security of persons and the administration of the school.
Section 22 and section 24 (1) of the Act apply directly to the complainant. What are your views?
As the complainant has opposed the use of the machine, no data has been collected from her and, consequently, no processing occurred.
Any other information you think is helpful?
We reiterate that no personal data has been collected or processed without the consent of any staff. ”
A site visit was effected in the presence of Caporal Goolaup at the premise of the school in Moka on 24.09.2013 to verify the statement made by the respondent. The following observations are made:
The machine was verified in the presence of supplier and I.T administrator. It kept a template of the image of the fingerprint and allocates an employee number to each employee. It records time in and out but most employees use the time in only. It is used by the school to retrieve an absence list, list of lateness, and to calculate leave balances. It is not connected to the payroll system. It also has a card and pin code facility which have been deactivated and not used by the school.
The machine is protected by IT administrator fingerprint to record or delete stored data from the fingerprint machine.
The daily records were viewed from a PC which retrieves the data which is stored on a server. The application also has backup facilities.
The consent of the employees is verbal only.
The sanctuary is a set of classrooms found on the last level which are protected by special doors which may be activated in case of emergency to isolate it from the rest of the school but has nothing to do with the fingerprint machine.
The respondent was requested to communicate to this office the names of the Board of Directors and the names of other members present in the disciplinary committee held on 3rd of June. The reply received is as follows:
“We regret being unable to understand your query.”
The members present in the disciplinary meeting were: Mr Nicholas Hamer, Mr Forget Philippe Alain, and Prokid’s legal advisor as per Complainant’s statement.
Respondent decided to dismiss complainant by way of a letter dated 7 June 2013 after a disciplinary committee was held on the ground of insubordination for refusal to submit her fingerprints for attendance purposes and thus not abiding to allegedly lawful instructions. Whilst this office has no jurisdiction to entertain issues outside data protection and will not assess whether the dismissal was justified or not, the issue of dismissal is directly linked to the intended processing without consent of personal information, i.e, fingerprints which are used to identify employees.
The Data Protection Commissioner has decided as follows:-
Recalling my decision of 17.7.2013 against Alteo Ltd currently under appeal at the ICT Tribunal and based upon ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 3/2012 on developments in biometric technologies which represents the applicable doctrine at page 3, first para., where it was stated as follows:-
“Biometric technologies that once needed significant financial or computational resources have become dramatically cheaper and faster. The use of fingerprint readers is now commonplace. (…) Biometric technologies are closely linked to certain characteristics of an individual and some of them can be used to reveal sensitive data. In addition many of them allow for automated tracking, tracing or profiling of persons and as such their potential impact on the privacy and the right to data protection of individuals is high. This impact is increasing through the growing deployment of these technologies. Every individual is likely to be enrolled in one or several biometric systems.
At page 6, para.4,:-
When biometric systems are used it is difficult to produce 100% error-free results. This may be due to differences in the environment at data acquisition (lighting, temperature, etc.) and differences in the equipment used (cameras, scanning devices, etc.).
At page 8, paras.1 & 2,:-
The use of biometrics raises the issue of proportionality of each category of processed data in the light of the purpose for which the data are processed. As biometric data may only be used if adequate, relevant and not excessive, it implies a strict assessment of the necessity and proportionality of the processed data and if the intended purpose could be achieved in a less intrusive way.
In analysing the proportionality of a proposed biometric system a prior consideration is whether the system is necessary to meet the identified need, i.e. is essential for satisfying that need rather than being the most convenient or cost effective. A second factor to take into consideration is whether the system is likely to be effective in meeting that need by having regard to the specific characteristics of the biometric technology planned to be used. A third aspect to weigh is whether the resulting loss of privacy is proportional to any anticipated benefit. If the benefit is relatively minor, such as an increase in convenience or a slight cost saving, then the loss of privacy is not appropriate. The fourth aspect in assessing the adequacy of a biometric system is to consider whether a less privacy intrusive means could achieve the desired end 2. (…) 2 For example, smart cards or other methods that do not collect or centralize biometric information for authentication purposes.
At page 20-21 last para.,:-
“There are data protection concerns associated with the use of fingerprints that can be briefly described as follows:
Even though fingerprints eventually present a high accuracy rate, this can be challenged due to limitations related to the information -low quality of the data or non-consistent acquisition process – or representation - features selected or quality of the extraction algorithms –issues. This can lead to false rejection or false matches.
The irreversibility of the process can reduce the possibility of the individual of exercising their rights or to reverse decisions adopted based on a false identification.
The reliance on the accuracy of fingerprinting can make possible mistakes harder to rectify, leading to far reaching consequences for individuals. This needs to be taken into account when the proportionality of the processing in relation to the specific decision to be taken based on the fingerprints is assessed. It should be also mentioned that lack of security measures can lead to identity theft that can have a strong impact for the individual.
fingerprints provide potential for misuse as the data can be linked with other databases. This possibility of linking up to other databases can lead to uses non compatible with the original purposes. There are some techniques, like convertible biometrics or biometric encryption that can be used to reduce the risk.
Processing of sensitive data:
According to some studies, fingerprint images can reveal ethnical information of the individual.
Further purposes or purposes of processing:
Central storage of data, especially on large databases, implies risks associated with data security, linkability and function creep. This allows, in absence of safeguards, the use of the fingerprints for purposes different than those that initially justified the processing.
Consent & Transparency:
Consent is a core issue in the use of fingerprints for uses other than in law enforcement. Fingerprints can be easily copied from latent prints and even photographs without the individual’s knowledge. Other issues concerning consent are those related to (…) the validity of consent for providing fingerprints in a labour context.
fingerprint data are very stable with time and should be considered irrevocable. A fingerprint template may be revoked under certain conditions.
fingerprints can be easily collected because of the multiple tracks of fingerprints an individual leaves behind. Moreover, false fingerprints can be used with many systems and sensors, especially when such systems do not include specific anti-spoofing protection. The success of an attack depends largely on the type of sensor (optical, capacitive, etc.) and the material used by the attacker.
At page 12, para. 2:-
Processing of biometric data can be necessary for the performance of a contract to which the data subject is party or can be necessary in order to take steps at the request of the data subject prior to entering into a contract. It has however to be noted that this applies in general only when pure biometric services are provided.
This legal basis cannot be used to legitimate a secondary service that consists in enrolling a person into a biometric system. If such a service can be separated from the main service, the contract for the main service cannot legitimate the processing of biometric data. Personal data are not goods that can be asked for in exchange of a service, therefore contracts that foresee that or contracts that offer a service only under the condition that someone consents to the processing of his biometric data for another service cannot serve as legal basis for that processing”
- it is clear from the paragraph above that the performance of the main contract of employment cannot be used as a legal ground to justify the collection of fingerprints in the absence of valid consent, especially in an employment context as referred above where the imbalance between the powers of the employer and the employee is obvious. Forcing the service of biometric data collection on the employee which is a separate requirement from the performance of the contract of employment cannot be deemed justified in the absence of valid consent. It is also clear from the above paragraph that even though a contract of employment stipulates clearly that the processing of fingerprints is compulsory for all employees to perform the duties under the contract, this is not justified. A contract of employment cannot be stretched to such an extent as to justify the necessity of fingerprints for attendance purposes in a democratic society.
In S. AND MARPER v. THE UNITED KINGDOM ECHR GRAND CHAMBER 4 December 2008:- it was held that that the indefinite retention of fingerprints by the police under the UK Police and Criminal Evidence Act (PACE) was done in violation of Article 8 of the European Convention on Human Rights:-
At para. 66. The Court notes that the concept of “private life” is a broad term not susceptible to exhaustive definition. It covers the physical and psychological integrity of a person (see Pretty v. the United Kingdom, no. 2346/02, § 61, ECHR 2002-III, and Y.F. v. Turkey, no. 24209/94, § 33, ECHR 2003-IX). It can therefore embrace multiple aspects of the person’s physical and social identity (see MikuliÄ v. Croatia, no. 53176/99, § 53, ECHR 2002-I). Elements such as, for example, gender identification, name and sexual orientation and sexual life fall within the personal sphere protected by Article 8 (see, among other authorities, Bensaid v. the United Kingdom, no. 44599/98, § 47, ECHR 2001-I with further references, and Peck v. the United Kingdom, no. 44647/98, § 57, ECHR 2003-I). Beyond a person’s name, his or her private and family life may include other means of personal identification and of linking to a family (see, mutatis mutandis, Burghartz v. Switzerland, 22 February 1994, § 24, Series A no. 280-B, and Ünal Tekeli v. Turkey, no. 29865/96, § 42, ECHR 2004-X). Information about the person’s health is an important element of private life (see Z v. Finland, 25 February 1997, § 71,
Reports of Judgments and Decisions (1997-I).
The Court furthermore considers that an individual’s ethnic identity must be regarded as another such element (see, in particular, Article 6 of the Data Protection Convention quoted in paragraph 41 above, which lists personal data revealing racial origin as a special category of data along with other sensitive information about an individual). Article 8 protects, in addition, a right to personal development, and the right to establish and develop relationships with other human beings and the outside world (see, for example, Burghartz, cited above, opinion of the Commission, p. 37, § 47, and Friedl v. Austria, 31 January 1995, Series A no. 305-B, opinion of the Commission, p. 20, § 45). The concept of private life moreover includes elements relating to a person’s right to their image (see Sciacca v. Italy, no. 50774/99, § 29, ECHR 2005-I).
67. The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8 (see Leander v. Sweden, 26 March 1987, § 48, Series A no. 116). The subsequent use of the stored information has no bearing on that finding (see Amann v. Switzerland [GC], no. 27798/95, § 69, ECHR 2000-II). However, in determining whether the personal information retained by the authorities involves any of the private-life aspects mentioned above, the Court will have due regard to the specific context in which the information at issue has been recorded and retained, the nature of the records, the way in which these records are used and processed and the results that may be obtained (see, mutatis mutandis, Friedl, cited above, §§ 49-51, and Peck, cited above, § 59).
68. The Court notes at the outset that all three categories of the personal information retained by the authorities in the present case, namely fingerprints, DNA profiles and cellular samples, constitute personal data within the meaning of the Data Protection Convention as they relate to identified or identifiable individuals. (…)
85. The Court accordingly considers that the retention of fingerprints on the authorities’ records in connection with an identified or identifiable individual may in itself give rise, notwithstanding their objective and irrefutable character, to important private-life concerns.
101. An interference will be considered “necessary in a democratic society” for a legitimate aim if it answers a “pressing social need” and, in particular, if it is proportionate to the legitimate aim pursued and if the reasons adduced by the national authorities to justify it are “relevant and sufficient”.
103:-“The protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, as guaranteed by Article 8 of the Convention (see, mutatis mutandis, Z v. Finland…). The need for such safeguards is all the greater where the protection of personal data undergoing automatic processing is concerned, not least when such data are used for police purposes. The domestic law should notably ensure that such data are relevant and not excessive in relation to the purposes for which they are stored; and preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored (see Article 5 of the Data Protection Convention and the Preamble …). The domestic law must also afford adequate guarantees that retained personal data were efficiently protected from misuse and abuse (see notably Article 7 of the Data Protection Convention) (…)”
For the sake of clarity, I have decided to reproduce the relevant parts of the opinion and the case above verbatim such that there is no misinterpretation of the reasoning applied.
The Marper case confirms the protection of personal data as part of the fundamental human right to privacy and the term “privacy” is also present in article 22 of our civil code and the DPA is the law protecting this fundamental human right. This case illustrates the importance of respecting human rights’ principles whilst processing fingerprints by the police, inter alia, the state. Therefore private employers cannot enjoy a lesser duty or privilege towards fingerprint processing of employees in the name of monitoring attendance and claim that this interference with the fundamental right to privacy is reasonably justifiable in our democratic society as interpreted in Marper or possibly found to be justified for the execution of the essence of a contract of employment which concerns the performance of essential duties and functions. The test as shown above is a stringent one.
In view of the fact that there are three main risks associated with the use of fingerprints namely identity fraud, purpose diversion and data breach occurrence, the random use of fingerprints cannot be allowed and prosecution is advised against Respondent for breach of sections 24 or 25 and 61 of the DPA based upon the evidence before me which establish beyond reasonable doubt that Complainant was justified in not providing her consent to Respondent for the processing of her personal information which was also the reason for her dismissal. Fingerprints may be classified as personal data and/or sensitive personal data in compliance with section 2 of the DPA depending on the information they might generate on the person identified.
The matter will be referred to the Police under section 20 of the DPA subject to the same issue currently under appeal being thrashed out before the ICT Tribunal and if required subsequently by the Supreme Court.
Mrs Drudeisha Madhub
Data Protection Commissioner
Data Protection Office
Prime Minister’s Office
4th floor, Emmanuel Anquetil Building, Port Louis
REF.NO[At Data Protection Office]:-DPO/DEC/19