FAQ on GDPR and how it relates to the FaceAware FA01 Device
Please see below our responses to some commonly asked questions on:
- The collection and use of Biometric data.
- How it relates to the FaceAware FA01 device
What is GDPR?
GDPR is Europe’s new data privacy and security law, drafted and passed by the European Union (EU), it imposes obligations on organisations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.
Where can I find Official EU Documents Explaining GDPR?
European Commission has provided a summary regarding the law EU data protection rules (GDPR) in the link below:
Why should my Company Comply with GDPR?
The GDPR will levy fines against those who violate its privacy and security standards.
Where does Face Recognition fall under GDPR?
As face recognition technology (or FRT) collects information of a person’s facial features, it's classed under biometric data, which is labelled as “sensitive personal data.” The verbatim definition of biometric data in GDPR is as follows:
“[Biometric data] means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
GDPR breaks biometric information into two categories:
- Physical characteristics: facial features, fingerprints, iris characteristics, weight etc.
- Behavioural characteristics: Habits, actions, personality traits, quirks, addictions, etc.
FRT would fall under the Physical characteristics category. The rules set also gives member states further powers to add restrictions on sensitive data as they see fit.
When can you use Biometric Data under GDPR?
Even though GDPR is quite restrictive, there are exceptions within it that allow the collection and use of sensitive data, this includes:
- If the user has given his/her consent willingly
- If biometric information is required for carrying out employment, social security, or social protection obligations
- If biometric data is required to protect the vital interests of the individual and he/she is incapable of giving consent
- If it’s required for legal issues
- If biometric data is necessary to aid in the public interest such as health
The list above highlights the importance of user consent in the collection of biometric data but also allows for the collection and use of this data in the interest of public health, for example performing Body Temperature Screening in line with Public Health advice on Covid-19.
By Default what User Data is Logged on the FaceAware FA01 Device?
By default the device captures/stores no user data in normal operation. The default setup is to carry out temperature screening without any data logging.
When will the FaceAware FA01 Device Log User Data?
The device will only store user data in the two cases:
- For any employees registered on the device.
- If Stranger Record is activated. This is turned off by default.
What Employee Data can be Registered/Stored on the FaceAware FA01 Device?
Employee details may be registered/entered on the device. This data is only needed if a company wishes to employ data logging or access/entry control based on facial recognition. The following data may be stored onto the device:
- Photo of the person (Needed if company wish to employ entry access functionality based on facial recognition)
- ID number
What User Data can the FaceAware FA01 Device Log?
The device can log the following information in operation.
- Direction (Access in or out)
- ID Number
- IC Number
- Number ID
- Transit time (Time and Date)
- Status (Server Login Status)
- Type (Whitelist, Non-Whitelist, Blacklist)
- Image of face
Who has Access to Data Stored in the FaceAware FA01 Device?
It is up to you to determine who will have access to the data stored in the device. Access can be restricted through the use of a password. It is possible to download clocking records from the device via USB or a LAN / WLAN connection, but this action requires the use of the password.
The device is local to your organisation, and we do not have access to it or the information therein under normal circumstances.
What is your Recommendations on Signage for the FaceAware FA01 Device and GDPR?
We recommend you put up a sign beside the device informing users of the following:
- What user data, if any, is be collected.
- Why is the data been collected
- How is the company using the data
- How long will the data be kept
Any Tips on Best Practice for GDPR Compliance?
From a data security standpoint, it's always a good idea to ensure that access to the data within the device is restricted to those who actually need it. Data can be downloaded from the device via USB by those with the password. It's worth bearing this in mind when deciding who within your organisation will be given access to the password.
It is strongly recommended, for data security purposes, that the default password is changed. We recommend that this new password is stored in a secure location. Note, it is not possible to access the device without knowing the new password.
In line with the practice of data minimisation, ensure only those who need to use the device are registered on it. If you have a certain set of employees who do not need to clock in and out, for example, it's best not to enter their information into the device.
Ensure that former employees are removed from the device. It's a good idea to add this to the set procedure for people leaving your organisation.
***This guidance on this page is for informational purposes only, and should not be relied upon as legal advice. It's important to conduct your own assessment of the employee data you intend to hold, how this pertains to the rights of individual employees, and your lawful basis for holding this information under the GDPR legislation. Compliance with the GDPR should be borne in mind at all stages of implementing any System***