Biometric Scanner Ruled Legal in Workplace

Written by Daniel Standing LL.B., Editor, First Reference Inc.

Not too long ago, it was the stuff of science fiction and action films-the locked door that opened by a retinal scan. The keypad required a fingerprint as additional security. Well, what was at issue in 2023 CanLII 5478 (BC LA) isn’t too far removed from those one-time fantasies. Here, an employer implemented a biometric finger scan system for employees to use, and it had a good reason that had nothing to do with security. Would vastly improved recordkeeping and human resources services suffice as justification? Some employees got fired for not complying with the policy. To decide this tricky case, the arbitrator placed management rights on one side of the scale and on the other side, privacy legislation and the KVP test. When it stopped moving, the balance favoured management rights.


A forest products company’s timekeeping and payroll processes were in shambles. They were inconsistent and frequently carried out manually. The processes were prone to errors, and they resulted in employees not being paid on time. Also, its attendance tracking method largely relied on the honour system, was cumbersome for supervisors and was easy to defraud. In short, it needed an overhaul.

The company considered a few alternatives, like “geofencing” and employee ID number systems. The problem was, they were either too intrusive, in the case of the former, or a cure that was no better than the disease, in the case of the latter.

After much study and deliberation, it settled on Touch ID, a biometric finger scan system, as the saviour to its attendance-tracking needs. Once an employee enrolled by having a finger scanned by a sensor, a digital image was created temporarily to map a series of points: a biometric template. Then the original image was destroyed. A lot of information could be saved within the template: an employee’s start and end times, their name and Email address, along with many data points that payroll would rely on.

The employer involved the union at every step and kept it and the employees apprised of its plans. It gave a presentation to union leadership well in advance, along with its rationale. It provided employees with newsletters, bulletins and documents about TouchID and gave plenty of notice of its implementation schedule. Only about five employees were terminated, but there was plenty of unrest. A hundred unionized employees signed a petition against it, but the employer simply ignored them.

It was satisfied the system would stand up to scrutiny. It was secure; only specified people could log in with a password. The evidence pointed toward vastly improved attendance records, including real-time snapshots of who was on-site, clock-in and out times, and whether someone is working overtime. It would identify attendance patterns and payroll errors. In short, it was a massive and much needed improvement.

What the arbitrator said

The arbitrator’s analysis considered the legislation and the common law KVP test.

The legislation is the British Columbia Personal Information Protection Act.

As for the KVP test, arbitrators in previous cases devised a test to determine when unilateral employer rules or policies are enforceable by discipline. Named after the 1965 case in which the test was first articulated, the KVP test requires that to be enforceable, a policy or rule unilaterally introduced by the company and not agreed to by the union must satisfy the following conditions:

  • It must not be inconsistent with the collective agreement;
  • It must not be unreasonable;
  • It must be clear and unequivocal;
  • It must be brought to the attention of the employee affected before the company can act on it;
  • The employee concerned must have been notified that a breach of the rule could result in his discharge (if the rule is used as a basis for discharge); and
  • It should have been consistently enforced by the company from the time it was introduced.

First, she considered the stated purpose of the British Columbia Personal Information Protection Act and some key definitions. She eventually concluded the collection and use of the biometric information were reasonable and permitted under the Act, with the caveat that it broadens its assessment of individual circumstances to include consideration of possible human rights violations. In essence, it was advised to be exemptions for reasons that aren’t medical-based.

Second, as to whether the employer could impose the new policy unilaterally, the parties agreed that the only issue for consideration was the reasonableness of the policy. The arbitrator stated the initial acquisition of the fingerprint scan was a minimal intrusion into privacy, with adequate security standards and safeguards in place. The company had implemented the system with legitimate management objectives in mind. When it comes to balancing these interests, she said, the degree of justification is tied to the level of intrusion. Since the employer’s actions were minimally intrusive, it only had to provide minimal justification, which it did. For that reason, the arbitrator determined the introduction of the Touch ID system was a reasonable exercise of management rights.

Key points to take away

Provided an employer can satisfy the other branches of the KVP test involving notification requirements, consistency with the collective agreement and consistent application, it may be successful in implementing a once-futuristic way of verifying an employee’s presence in the workplace.

Of course, the stars must align somewhat, both factually and legislatively. Depending on the jurisdiction, personal privacy legislation could dictate a different result than in British Columbia, where this case was decided. Also, the totality of the circumstances, including collective agreement language, will be relevant in any other case on this issue.

Suffice it to say, as scary as it sounds to have a biometric scanner in the workplace; there was a good reason why management needed it, permitting its rights to outweigh the employees’ privacy interests.

Start the discussion!

Leave a Reply

(Your email address will not be published or distributed)