Risk Management / HR Perspective
Policy/Procedure: Policies and procedures need to be up-to-date and meet current guidelines. Senior management need to be able to make appropriate system changes to meet current laws and regulations.
Implementation: Educate staff during new hire orientation, and periodically, regarding related laws, regulations, and any changes. Objections need to be considered and discussed with senior management for direction.
Audit: Facility management should periodically survey staff for concerns. Internal and external audits should ensure that all requests for accommodation have been reviewed and documented.
A Pennsylvania-based hospital housekeeping company was hit with a proposed class action lawsuit alleging that its fingerprint scanning method for employee timekeeping violates an Illinois state privacy law because it unlawfully collects, records, and stores biometric data. The biometrictime-tracking system runs afoul of the state’s Biometric Information Privacy Act, or BIPA, because the company failed to inform employees in writing why and for how long their data would be stored, never gave them a retention schedule for the fingerprints, and did not obtain written releases from the workers, according to the complaint.
The named plaintiff said that if a fingerprint database is hacked, breached, or otherwise compromised, employees are exposed to potential identity theft and unauthorized tracking. “Unlike key fobs or identification cards — which can be changed or replaced if stolen or compromised — fingerprints are unique, permanent biometric identifiers associated with the employee. This exposes employees to serious and irreversible privacy risks,” the complaint said. The named plaintiff worked for the housekeeping company at a medical center. He claims the company required him to scan his fingerprint at the beginning and end of each work day, but never gave him BIPA-required information about the process and never obtained his consent via written release.