Running a business often requires managing clients, suppliers, and employees. Technology can streamline these processes. Many businesses use biometric technologies, such as facial recognition or fingerprint scanners, for time management and employee monitoring. However, under the Protection of Personal Information Act (POPIA), the use of biometrics comes with strict conditions.
What Are Biometrics Under POPIA?
POPIA defines biometrics as technique of personal identification based on physical, psychological, or behavioral characteristics, including:
- Fingerprinting
- DNA analysis
- Retinal scanning
- Voice recognition
If a business uses biometric technology for access control or time management, they are processing biometric information and must comply with POPIA.
Legal Grounds for Processing Personal Information
Before processing any personal information, businesses must:
- Define a specific purpose for processing.
- Establish a legal ground for doing so. POPIA provides six legal grounds for lawful processing, which include the following:
- Consent from the data subject
- Necessity for a contractual agreement
- Compliance with a legal obligation
- Protection of the data subject’s legitimate interests
- Performance of a public duty
- Legitimate interests of the responsible party or third party
General Authorisations for Processing Biometric Information
Biometric information is categorised as “special personal information” under POPIA. Its processing is generally prohibited unless authorised, with specific legal grounds including:
- Data subject’s consent
- Necessity for establishing, exercising, or defense of a right or obligation in law
- Compliance with international public law
- Processing for historical, statistical, or research purposes
- Information made public by the data subject
- Authorisation by the Information Regulator for public interest reasons
For employers, POPIA allows the processing of biometric information in compliance with labour laws, but labour legislation lacks explicit guidance on biometrics.
Consent as a Legal Ground: Potential Challenges
While consent is a potential justification for processing biometric information, it must be:
- voluntary choice, allowing the data subject to decide freely whether to give consent;
- the data subject must be sufficiently informed to make an educated decision;
- the consent must be specific to the purpose for which the biometric information is being processed;
- the data subject must be notified of the purpose and other necessary details as required by POPIA.
The Swedish Data Protection Authority (“Swedish DPA”) for example fined a school because they found consent as a legal justification to be invalid because of the clear imbalance between the data subject and the controller (Swedish DPA, 2019). A Dutch Court on the other hand found that the processing of biometric data of employees, where it was implemented unilaterally, could not be justified with consent (Canneyt, 2019). Relying on consent may therefore be treacherous ground and we’ll have to wait and see what the South African Information Regulator’s say in the matter is.
Steps for Compliance
To ensure compliance, businesses considering biometric technology should:
- Conduct a Personal Information Impact Assessment (PIIA) to assess whether biometric processing is justified.
- Consider alternatives to biometrics where possible, as South Africa may follow the GDPR’s example by requiring less intrusive options.
While biometric processing is not entirely prohibited, compliance with POPIA is essential. Until the South African Information Regulator provides clearer guidelines, businesses should approach biometric solutions cautiously, considering both legal and ethical implications.
Stay POPIA Compliant without the hassle. SEESA is here to help. Click here
Author:
Herklas Oberholster
CP & POPIA Legal Advisor
BCom Law, LLB, MPhil Fraud Risk Management