Latest News & Insights

As modern workplaces evolve alongside technological advancement, organizations increasingly adopt various systems to enhance operational efficiency. These include internal communication management systems, internet usage administration systems, CCTV security systems, and building access control systems. While these technologies bring convenience and efficiency, they also raise significant legal considerations that organizations must address, particularly under Thailand's Personal Data Protection Act (PDPA). Striking a balance between business benefits and respecting employees' privacy rights in workplace monitoring presents a critical challenge that organizations must carefully consider.

Case Study: When Facial Recognition and Fingerprint Technology Were Prohibited by Regulatory Authorities

A case study from the Information Commissioner's Office (ICO) of the United Kingdom provides valuable lessons for Thai organizations. The ICO issued an order requiring a company to cease using facial recognition systems for employee attendance monitoring at fitness centers. The key reasons for prohibiting the facial recognition system included: The technology failed to demonstrate "necessity" and "proportionality" because less intrusive alternatives existed, such as employee ID cards or tap-in/tap-out devices. Additionally, employees were not provided with clear alternative options other than consenting to facial or fingerprint scanning to receive their salaries. This unequal bargaining power meant employees could not genuinely refuse consent.

This case study illustrates that while companies may have legitimate needs to monitor employees, necessity alone may not be sufficient. Companies must consider other fundamental principles, including alternative monitoring methods that achieve the same results while providing employees with appropriate workplace privacy.

Fundamental Principles Organizations Must Consider When Using Biometric Technology for Employee Monitoring

1. Necessity : Organizations should have clear reasons for using monitoring technology, such as security purposes, theft prevention, or more efficient human resource management. The use of such technology must be necessary and appropriate for the circumstances.
2. Proportionality : The use of monitoring technology must maintain balance between organizational benefits and individual rights. For example, transportation companies that need to track employee movements should provide options to disable tracking systems for drivers outside working hours to avoid intruding on personal time.
3. Alternatives : Organizations should consider other methods that impact employee rights less while achieving the same results.
4. Transparency : Employees must be informed in advance about monitoring methods, including what devices will be used and for what purposes. This should be clearly specified in policies or announcements, with regular reviews of monitoring methods, ensuring no actions beyond what has been communicated to employees.
5. Security : Organizations must protect recorded data from loss and limit access rights to relevant personnel only. They must also establish clear data retention periods based on data usage necessity. When data is no longer needed, it must be deleted and destroyed to prevent access or data recovery.

How Should Organizations Proceed When Implementing Biometric Technology?

Beyond considering the fundamental principles mentioned above for employee monitoring, under Section 26 of Thailand's Personal Data Protection Act, facial scan data or fingerprint data constitutes "biometric data," which is classified as "sensitive personal data." This type of personal data poses high risks to data subjects if disclosed or used improperly, potentially causing harm or impact to individual rights and freedoms. Therefore, processing such data requires explicit consent from data subjects, and organizations must implement security measures at higher levels than ordinary personal data, along with measures to support sensitive data processing, as outlined in the following preliminary guidelines:

1. Prepare Privacy Notice and Consent Form : Create comprehensive privacy notice and consent form for facial recognition technology use, clearly specifying purposes, collection methods, usage, and data retention periods.
2. Obtain Explicit Consent from Employees : Secure clear consent from employees before processing personal data. Organizations must not coerce or create unfair conditions for non-consent and must provide alternative options for employees who refuse consent, such as using employee ID cards for building access or attendance recording.
3. Enable withdrawal of consent : Enable employees to withdraw consent at any time through methods that are no more difficult than obtaining consent.
4. Implement Advanced Security Measures : Establish high-level security measures such as data encryption and limiting access to relevant personnel only for recorded and stored data.
5. Conduct Risk Assessments and Emergency Planning : Perform advance risk assessments and develop response plans for various data breach scenarios.
6. Define Retention and Destruction Procedures : Establish appropriate data retention periods and destruction methods when data is no longer necessary to prevent data recovery or restoration.

Conclusion

When organizations implement technology to monitor and supervise employee work activities, they must recognize that enhancing efficiency or facilitating administrative convenience must not violate fundamental employee rights. Therefore, if organizations have legitimate needs to implement employee monitoring systems, they must carefully consider fundamental principles to analyze whether such monitoring systems are necessary and align with these core principles. Organizations must also evaluate whether the data they need to process falls under Thailand's Personal Data Protection Act or other applicable laws, and understand the specific processing guidelines for that type of data. This approach ensures proper legal compliance while providing appropriate privacy protection for employees.

Reference 

• ICO: Employee monitoring – is it right for your business?

https://ico.org.uk/for-organisations/advice-for-small-organisations/whats-new/blogs/employee-monitoring-is-it-right-for-your-business/

• ICO orders Serco Leisure to stop using facial recognition technology

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/02/ico-orders-serco-leisure-to-stop-using-facial-recognition-technology/