Can we use fingerprint scanning of employees?

Fingerprints are a form of biometric information which is inherently sensitive. As with any collection of personal information, an employer must show that the collection of information is both lawful and necessary for the functions or activities of the business that it will be used for. If another, less intrusive option is available that would also meet an agency's business needs, that may indicate that the collection is unnecessary.

The employer must also inform the employees why the collection is necessary and what it will be used for before any fingerprint scanning system is installed or used. As many employees are concerned that their fingerprints may be reproduced, it is important for employers to explain how the information collected will be kept secure.

Whether finger scanning is unfair or unreasonably intrusive in the circumstances will depend upon the reasons for it, the policies about its use, and the type of equipment involved.

As with all personal information, once you collect fingerprint scans, a range of other obligations under the Privacy Act will apply relating to security, accuracy, retention, use and disclosure.  You must also provide individuals with their rights with their rights to access and request correction of the information. You should do a Privacy Impact Assessment to make sure the risks have been addressed before implementing this technology. 

This position paper(external link) sets out the position of the Office of the Privacy Commissioner (OPC) on how the Privacy Act regulates biometrics.

Note, the Privacy Commissioner can investigate whether the collection of personal information complies with the Privacy Act. This could include systemic issues, such as over-collection of unnecessary information (like fingerprints) or unreasonably intrusive collection of information, and a failure to adhere to the obligations set out in the privacy principles when holding, using, or disclosing the information.

Updated October 2021