Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2004-281
Organization uses biometrics for authentication purposes
(Subsection 5(3); Principles 4.2, 4.3, 4.4, and 4.7 of Schedule 1)
Several employees complained that their employer was forcing them to consent to the collection of biometric information, namely, their voice print, for the purpose of accessing a number of the company's business applications. These applications are used for logging work-related information, as well as for absence reporting.
Summary of Investigation
The business applications in question are accessed via a portal that uses voice password technology to authenticate company employees. This system (applications and voice password) was introduced to enable field employees to log their work-related information in a secure, efficient, and cost-effective manner. A speech-based environment was chosen because all field employees have access to phones. Other employees are also using the system, with about 20 per cent of the company's work force enabled for enrolment.
To register, the employee places a phone call during which he or she will have spoken a series of digits several times. The system software converts the spoken digits into a matrix of numbers that represent the behavioural and physical characteristics of the way the individual speaks and his or her vocal tract. The voice print is used solely for authenticating the employee when he or she is accessing the business applications. It does not play a role in any of the applications.
As for its reasons for implementing the system, the company maintained that security is enhanced by the fact that only the actual registered speaker can be authenticated. There is no password, for example, that an imposter can input. Given the amount of customer data managed by the company, protecting information from unauthorized access is of utmost importance. The company determined that this system offered the highest level of security for customer data logged through its business applications.
Furthermore, the company stated that the security costs of such a system were lower than those associated with managing traditional password systems, and that streamlining work processes (the business applications streamline the logging of work-related information and eliminate paper-based processes) achieved a more cost-effective means of doing business.
The company provided its employees with a variety of communications materials to explain the purposes for and uses of the voice password system and the applications. As for safeguards, employee voice prints are stored in a secure database and housed under tightly controlled conditions. Access to the database is highly restricted and a very limited number of individuals have the authority to view or remove a voice print record. These individuals cannot change, interpret or substitute the record, and the voice print cannot be reverse-engineered to synthesize a voice. Therefore, there is no possibility of any fraudulent misuse of someone's voice. The company also stated that, practically speaking, there is no other use that it could make of an individual's voice print without their knowledge and participation. The voice print is purged within one month of an employee being no longer eligible to use the system.
Some of the employees expressed concern that the voice print could be used to spy on employees on the telephone or to identify an employee by matching his or her voice against all of the stored voice prints (known as one-to-many authentication). The authentication process in place, however, is a one-to-one process. In other words, the employee's voice is matched against the stored voice print for that particular employee's user identification to confirm his or her identity. It cannot be used by the company for one-to-many authentication.
The voice print also cannot be used to identify an employee in any context or situation other than when he or she logs onto the system. For example, it cannot identify a person who uses any of the business applications that are accessed via the portal even though those business applications use conventional voice recognition capabilities. Similarly, it cannot be used to identify a participant in a recorded conversation.
Some of the complainants also objected to the collection of leave-related information through the attendance reporting application. Employees who are absent due to illness or a work injury are prompted to provide a reason for their absence. The employee's manager has access to this information. While the company stated that providing this information is optional, this is not apparent to the users of the application.
Issued September 3, 2004
Application : Subsection 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances; Principle 4.2 stipulates that the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected; Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; and Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
The Assistant Privacy Commissioner deliberated as follows:
- In considering the issue of consent with respect to a job requirement that impinges on privacy, the purposes for introducing the measure must be looked at in the context of the reasonable person test, outlined in subsection 5(3).
- The employer provided three reasons for introducing the business applications, with its voice password technology: security, efficiency, and cost-effectiveness.
- The Assistant Commissioner agreed that the system was more efficient and cost effective than paper processes and password management, and that it was logical for a company to want to introduce economies and efficiencies to remain competitive and in business. The more persuasive argument, however, was that the voice password was needed to ensure security. The company evaluated the risk associated with managing large amounts of customer data and concluded that the system offered the highest level of protection from unauthorized access. Such an approach was aimed at safeguarding the personal information of customers and meeting the expectation of customers that their data will be protected.
- The Assistant Commissioner noted that the purpose of the Act is to balance the individual's right of privacy with respect to their personal information and the need of organizations to collect, use, or disclose personal information for appropriate purposes in the circumstances. In assessing this balance, the Assistant Commissioner reflected on whether the loss of privacy, from the collection and use of the voice print, was proportionate to the benefits the company would likely gain.
- She agreed that a voice print was an encroachment upon the person. The company was collecting the behavioural and physical characteristics that make an individual's voice unique. However, the Assistant Commissioner did not think that the voice print, in and of itself, in the circumstances of these complaints, really revealed much information about the individual.
- The company demonstrated to the Office's satisfaction that technically speaking it could only use the voice print for authentication purposes in its current setup. It could not use it for spying or other nefarious purposes.
- In the circumstances of this complaint, the Assistant Commissioner felt that a voice print, used solely for one-to-one authentication purposes, was fairly benign.
- On the employer's side, obviously if a third party were to gain access to customer data, consumer onfidence in the company's ability to protect its information would be seriously eroded. In today's highly competitive business environment, customers would likely turn to another company for service and the potential losses to the company could be enormous. The cost savings of streamlining business processes are also of importance in today's marketplace.
- Given that the voice print does not appear to be unduly invasive, the Assistant Commissioner was of the view that an appropriate balance between the employees' right to privacy and the employer's needs had been struck. This did not mean that any privacy-impinging measure a company might introduce would be considered appropriate. The loss of privacy must always be weighed against the benefits, and the purposes for the measure must always be grounded in a defensible need.
- In this case, the Assistant Commissioner felt that a reasonable person would likely view the company's purposes in the circumstances to be appropriate, as per subsection 5(3). The company had informed the employees of its purposes, and clearly had appropriate safeguards in place, in compliance with Principles 4.2 and 4.7.
- As for consent, employees are obliged to record certain work-related information as part of their job requirements. Although the complainants wanted to have the option to use a more traditional password system, the Assistant Commissioner did not think the employer was required to provide one. The purposes for the voice password system were reasonable and were explained to employees, and an alternative concurrent system would not ensure the desired level of security and thus would not meet those purposes. Having deemed the collection and use of this particular biometric, in this particular set of circumstances, reasonable, she found that the company had met the consent requirements set out in Principle 4.3.
Accordingly, she concluded that the portion of the complaint concerning the collection of the voice print was not well-founded.
However, with respect to the absence-reporting application, the Assistant Commissioner agreed that the application should not be prompting employees to input the medical reason underlying an absence. The provision of such information to a manager for the purpose of calling in sick was deemed excessive and contrary to Principle 4.4, which limits the collection of personal information to that which is necessary for the purposes identified. The company agreed to amend the application so that employees would not be prompted to specify why they are calling in sick. The Assistant Commissioner requested that the company report back to her within 120 days of the date of the findings on its progress in this regard.
Accordingly, the part of the complaint concerning the collection of personal information by the absence-reporting application was resolved.