OPC clarifies rules around necessity, proportionality, consent, bias, disposal of data — and legal experts offer tips for HR
As biometric technologies such as facial recognition and fingerprint scanning become increasingly common in Canadian workplaces, the Office of the Privacy Commissioner of Canada (OPC) has released new guidance for employers.
While the information is meant for federally regulated employers, it’s “good guidance to use for all employers in Canada,” according to Robbie Grant, associate at McMillan in Toronto.
“It demonstrates how other privacy regulators would likely look at this, in particular those in B.C. and Alberta.”
This guidance was issued in draft form back in 2023 and then the commissioner opened it up to input from stakeholders, he says: “They've ironed it out, and I think improved the guidance.”
Privacy considerations with new initiatives
The OPC’s new guidance comes in response to the growing adoption of biometrics for identity verification and service delivery. While these technologies can streamline access and enhance security, they also raise significant privacy concerns.
The guidance was revised to include:
- clarified definitions and use of key terms, including discussion of the definition of sensitive information
- closer alignment between guidance and legal requirements
- added nuance and specificity to discussion of technical explanations, requirements, and best practices
- adjusted guidance on consent and criteria for assessing appropriate purposes for the private sector
- added emphasis on lawful authority and re-organized guidance on impact and risk assessment for the public sector.
As the guidance notes, “Biometric information is intimately linked to an individual’s body and is often unique, and unlikely to vary significantly over time. It can reveal sensitive information such as health information or information about race and gender characteristics.”
The guidance is intended to clarify privacy obligations and best practices for organizations considering or already using biometric systems.
“Organizations need to approach the use of biometric information in a privacy-protective way, building privacy considerations at the beginning of any new program or initiative. Prioritizing privacy in this way supports innovation and helps create conditions for a more secure and enriching digital society,” said Philippe Dufresne, Privacy Commissioner of Canada.
Legal ‘patchwork’ of privacy law
Alycia Riley, associate at Gowling in Toronto, points out that the legal landscape for privacy in employment is complex.
“For the time being, it really is a patchwork of laws that apply. And so, when we look at the Office of the Privacy Commissioner, of course, they're going to regulate under PIPEDA [the Personal Information Protection and Electronic Documents Act]. But that, in the employment context, will only apply to federally regulated employers. So, it's a pretty narrow scope of application, at least insofar as a legal compliance obligation.”
But even employers not directly subject to federal privacy law should pay close attention to the OPC’s guidance, she says.
“If you're an Ontario employer, you might be inclined to think, ‘Well, hey, this isn't going to apply to me, so I don't need to follow it’ — which technically may be true — but if you're thinking about going abroad to other provinces, Alberta, B.C., Quebec, that is going to then mean that you're subject to the laws of those provinces, which do have legislation that applies to the private sector employment relationship.
Grant also notes that privacy law in B.C. and Alberta is often aligned with the OPC’s guidance. And even if you’re a federally regulated employer, Quebec privacy laws will still apply in respect of employees located in Quebec, confirms Grant.
“That's not true in other provinces... so, that's something that's often missed. And Quebec has more onerous obligations with respect to biometrics.”
Factors to consider: necessity, proportionality, intrusiveness
A central theme of the OPC guidance is the need for organizations to justify the use of biometrics and to ensure that any collection, use, or disclosure of biometric information is appropriate and proportional.
Riley highlights this point: “The most important question when a client is looking to implement biometrics in respect of its workforces is ‘Why?’ and ‘Why is it necessary?’’ she says.
“[The OPC is] often looking to… why does this entity need to collect this level of sensitive personal information? So that can be, in and of itself, a challenging obstacle to implementation.”
For many employers, efficiency is the big appeal of biometrics, according to Grant, citing as an example thumbprint scanning instead of ID cards.
“Whether efficiency is a reason enough to warrant using biometrics, the guidance says probably not — convenience is not sufficient on its own,” he says.
“And the guidance specifically says if you have any doubt about whether something is appropriate, if you're uncertain, then don't use it at all. So, they really underscore how much of a high bar it is.”
It’s about two questions, says Grant: “Is the purpose for processing data a legitimate need, a bona fide business interest of the company?” and “Will the use of biometrics be effective at meeting that need?”
Taking minimally intrusive approach
Plus, employers will want to be minimally intrusive in the design of the system and consider ways to make it less intrusive, says Grant.
“For example, can you make it optional for employees? If someone is really sensitive about their biometric information being used, can [the employer] go a different route? Can they verify in another way?”
If there are less privacy-intrusive means that would accomplish the goal then those should be investigated, first and foremost, agrees Riley.
“That's why, for so many instances — and the OPC refers to a couple of its decisions in this regard — there are several cases where it's not meeting that threshold of why it needs to be a biometric collection and not some other form of identification or verification.”
Employee consent to biometrics
Consent is another critical area addressed in the OPC guidance:
“A critical element of obtaining consent is ensuring that individuals have proper knowledge of how your organization will manage their personal information. For consent to be valid or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner.”
When it comes to biometrics, the “gold standard” is to have express consent, says Riley, particularly because this is considered sensitive personal information so “the greater the sensitivity, it weighs in favour of obtaining express consent to the collection, use and disclosure of the information.”
However, she also acknowledges practical challenges to that scenario, such as rolling out a new biometric system to 1,000 employees.
“Administratively, that can be quite cumbersome, so in the alternative, certainly [it’s about] having the disclaimer — but a fulsome disclaimer,” says Riley, citing as an example “This call may be recorded for security purposes.”
“That’s probably not sufficient if we were to… put it to scrutiny by the regulator. It needs to be more fulsome than that, in my opinion.”
Opting out of biometric systems
The guidance also stresses the need to provide alternatives for employees who do not wish to participate in biometric systems.
“There needs to be a viable means of opting out,” says Riley, citing as an example the use of multi-factor authentication for the purposes of verification or accessing a system, instead of biometrics.
If an employer is challenged on its use of biometrics, then ideally it has already gone through a privacy impact assessment (PIA), says Grant, and “can point to the different measures in place, technical or administrative, to demonstrate to the employee that, ‘Hey, your information is protected, we did a rigorous analysis here, and we determined this was appropriate. Here's an alternative, if we have one available to you.’”
In 2023, for example, a British Columbia arbitrator upheld an employer’s implementation of a biometric attendance system as a reasonable use of employee personal information.
Assessing effectiveness of biometrics
Another crucial element? The OPC says employers should have a plan for assessing whether the use of biometrics is effective, says Grant.
“You should be able to look at ‘Is there any scientific evidence of how effective these tools are? What's the error rate? What's the false positive rate? How accurate is it?’”
“How are you going to assess whether it's really working? If it purports to save you so much time, well, check in in six months: Has it actually saved you that much time? And if it's no longer warranted, then maybe you need to scrap it.”
Ongoing review and oversight are also key, says Riley.
“You need to make sure that it's still achieving the goal that you've set it out to do. And in many cases — I mean, we see now with the adoption of artificial intelligence — it's very easy for things to veer off of the original purpose. So having that human oversight, having those periodic check-ins are essential.”
Verifying accuracy regularly
Both lawyers also stress the importance of verifying the accuracy of biometric systems.
These biometric forms of identification and verification “are capable of being fooled,” says Riley, so it's not necessarily a guarantee that because you're adopting this type of technology and collecting this type of information, that it will be as effective as you think.
“It's really important, if you're considering implementing this, to undertake a lot of scrutiny, and really push the limits of the system to make sure that it's going to have the effectiveness that you are hoping it will.”
And it should be noted that an employer can’t just rely on a third party to verify the accuracy of the data, or take the blame when errors occur.
“You have to do your due diligence,” says Grant. “You have to have contract terms in place. And with respect to biometrics, you probably want to have an auditing and verification system so you can make sure their systems are robust, they're testing them and they're hitting those accuracy metrics.”
Bias and human rights concerns
The OPC guidance also highlights the potential for bias and human rights issues in biometric systems: “You should… be prepared for situations in which your system provides false positives, false negatives or non-matches,” it says, emphasizing the need for extensive testing to mitigate bias and inaccuracy.
Grant points to the importance of oversight with facial recognition tools, as an example.
“It's been established for five to 10 years that sometimes those tools perform more poorly on racial minorities, and so you need to make sure you're getting a tool that is robust, that is audited, that is accurate, because if you've got a barrier to getting into work that slows down one racial demographic over others, it's not just a privacy compliance issue — now you have a human rights issue which can lead to much more serious damages.”
There are certain instances where biometric technologies have not been particularly accurate in terms of assessing certain demographics, agrees Riley.
“The OPC also touches on this… they were actually talking about how biometrics, if compiled with other information, could, in theory, also disclose information about heritage, potential disabilities, and so on. So, the potential scope of what can be gained from that information is a lot broader than you might think in the first instance.”
Disposing of biometric data
Retention of biometric data is another area where the OPC guidance sets a high bar.
It’s recommended that employers distinguish between biometric information and other data, says Grant.
“If [for example] an employee leaves, you might keep their resume on file or their contact information, because they might come back and you have to keep it for a certain amount of time anyway under employment standards legislation,” he says.
“But biometrics is its own beast. As soon as you no longer need it, it should be deleted, and you don't need it to respond to litigation. You don't need it for any future use.”
In addition, employers don't want to lump biometric information in with the whole employee file and store it for four years or seven years, says Grant.
“You want to make sure you're deleting it... these data retention schedules can be very sculpted, or they can be very general. With biometrics, you want to be very sculpted — only keep it for the length of time that is absolutely necessary.”
Heightened training with privacy programs
The guidance also emphasizes the need for robust accountability mechanisms, including limiting access to biometric data, training employees, and maintaining checks and balances.
While the IT department usually has ownership over this type of project, it’s important to be mindful of limiting who has access to the information as one of the fair information principles, says Riley.
“We can't have everybody in the organization having access to this biometric data…[and] also ensure that we've got the organizational systems in place to make sure that there's no misuse within those groups of people who are permitted to access the data.”
Training is critical, as part of any privacy program or implementation of a biometric system, she says, with one level to ensure employee buy-in by informing people on how their data will be used.
“And then for those who are actually implementing and collecting the data, a heightened level of training for them to understand their obligations, what they can and cannot do with this data.”
