Balancing biometric security and employee privacy in the remote work era

[WHOOSH] ELISA SCALI: OK, good morning. Before we begin our program today, I would like to acknowledge that because we're all based in different cities and provinces across Canada, we are located in different traditional Indigenous territories, some of which are covered by treaties. I encourage us all to take a moment to reflect upon and acknowledge the land upon which we are living. If there are Indigenous people attending this webinar, please feel welcome.

Thank you for joining us today. My name is Elisa Scali. I'm a partner with Gowling WLG. I'm a member of our employment, labor and equalities team. And on behalf of our employment, labor and equalities team, I'd like to welcome you to the third webinar of our 2024 webinar series.

The focus of our webinar today is balancing biometric security and employee privacy in this new remote work era. To guide us through this discussion we have with us here today, Jasmine Samira. She is a counsel in our Gowlings Toronto office. Jasmine is recognized as a certified information privacy professional by the International Association of Privacy Professionals. She regularly advises clients from various industries on a broad range of privacy and cybersecurity issues, including privacy, compliance, and data protection.

Crystal Park is also an associate in our Toronto office. She's one of the newest members of our privacy and cybersecurity group. She assists with various matters, including data breaches and advising on best practices to minimize liabilities related to cyber risks.

And last but certainly not least, Alycia Riley. Alycia is a frequent speaker at our webinar, so she will likely be a familiar face to many of you. She is part of our employment, labor and equalities team, and she provides advice to clients on a broad range of employment related matters, including privacy issues in the workplace.

So before we begin our presentation, just a few housekeeping items. The PowerPoint presentation will be distributed to all the attendees following the webinar today. The session is being recorded, and the recording will also be shared with you following the webinar.

If you'd like to view our previous webinars, you can find them on our web page. And we will add the link in the chat today for you. And if you have questions, please pose them in the Q&A section. Please try to keep your questions general as we won't be able to answer any specific or technical questions. This presentation is not intended to be legal advice. It's intended to be just a high level overview. So for specific advice, please consult your qualified legal counsel. And to start us off, I would like to pass this over to Alycia.

ALYCIA RILEY: Thanks, Lisa. Good morning, everyone. Thank you so much for being here with us today. Our agenda is divided into four parts. So we're going to first begin with a brief overview of privacy laws in Canada. I'll then pass it over to my colleague Crystal who will explain what biometrics are, how they are used. Crystal will also explain some issues with biometrics. And then Jasmine and us as a group will discuss the regulatory considerations as well. Next slide, please.

So to provide a brief overview of jurisdiction in privacy, we're going to go all the way back to the constitution. So Canada is a federal state, which means that it has powers of parliament at the federal level and powers of the provinces through the legislatures, divided under the Constitution Act. And so both levels of government, both federal and provincial, rely upon different powers under the constitution to claim jurisdiction over both privacy and employment matters.

And I'm sure many of you have been at our employment seminars before. So you know that employment will presumptively fall within provincial jurisdiction unless the employer is engaged in a federal undertaking. And so federal undertakings would apply to things like telecommunications, nuclear energy, postal services, and so on.

Privacy also falls under federal law when it governs the collection and protection of personal data for commercial purposes. And in that context, we're thinking about parliament's presumptive power over commerce and trade at the federal level. However, it can be superseded by a equivalent provincial law, as you'll see in a moment.

Now, as an aside, those points are generally applying to the private sector. It's worth noting we won't get into it here, but the federal and provincial governments do also have their own laws over the collection of data by public entities. So that's when we look at other statutes such as the Privacy Act. So, again, we won't go into that today, but just to give you an overview. Next slide, please.

So as you can see from this, our privacy laws in Canada are really more of a quilt with many holes. So at the federal level, we currently have the Personal Information Protection and Electronic Documents Act, or PIPEDA, that is governed by the Office of the Privacy Commissioner of Canada.

Now, as I mentioned, that applies at the federal level but it can be superseded by a provincial enactment. And there are three of them that we have currently. So we have one in British Columbia, we have one in Alberta, and we have one in Quebec.

There are other privacy commissioners in the various provinces as well but because there is no statute that applies to the collection of information in the private sector, this is the current patchwork that we have. Now, if you do have employees that are located in Quebec, I should note that Quebec has recently done a complete overhaul of its privacy system.

There are now substantive administrative monetary penalties in place. The rules are significantly more onerous. And I would say it is, in Canada, the closest to the GDPR in the European Union. So if you do have employees in Quebec and you'd like to have further information, please reach out and let us know.

So looking at this patchwork that we have, how do we reconcile employment with employee privacy in the context of these statutes that we have? The result is that PIPEDA, because it is a federal enactment, can only apply to federally regulated employees. And so if you are an employer in Ontario and you are provincially regulated, that act will not apply to your employees but it will apply to your collection of personal information for commercial purposes.

If you have employees in British Columbia, Alberta, or Quebec, the statutes that we're looking at right now do, in fact, have an application to employee personal information. And so that's how we end up with this patchwork across the nation. We can go to the next slide, please.

So if you are sitting in Ontario like I am, you may say Alycia, great. I don't need to worry about this and I can do whatever I like with the employee privacy. And that to an extent is true. But what you need to consider, even if your employees personal information is not governed by a statute, there's a couple of things that we need to be looking at.

So, number one, if you're a multinational enterprise or you're thinking about expanding into different jurisdictions, you should have an understanding of not only what the requirements are there, but where are the requirements where you're currently sitting.

And it's often an important consideration if you're implementing policies or new protocols, usually what we want to do is we want to look at the jurisdiction that has the most onerous requirements as the high water mark. So that's one element.

You would also want to consider, as part of building a robust privacy program, when you look at how your organization is collecting, using, and disclosing personal information in its commercial purposes. If you're building a robust privacy program, it usually then makes sense to also look at the employee personal information that you're collecting as well.

And as part of a foundational means in privacy, we always want to consider how we can limit data collection and retention as much as possible. So the idea being that you don't want to have more than what you truly need to have on hand. And that becomes increasingly important when we look at the exponentially increasing rate of cybersecurity incidents. And it's pretty much every day that you can read about one.

So, again, if we're keeping that in mind, biometric data would fall into one of those things where we want to consider, are we collecting this and is it really necessary? Do we need to hang on to it in the long term? Now, in Ontario, as I mentioned, there's no particular statute in the private sector on employee privacy, but we do also have to still consider privacy adjacent statutes, such as the recent requirement to have an electronic monitoring policy in place under the Employment Standards Act.

The other thing you would want to consider is privacy in general, but specifically biometrics as well, is you want to make sure you have a solid foundation to rely upon that information in the event that you need to use it for asserting a case for just cause dismissal or something related. And so, for example, if the biometric data that you've collected is somehow not reliable, well, then there goes your argument for just cause. So another consideration as well.

And last but certainly not least, if you have a unionized workplace, notwithstanding whether there is any particular statute that applies to you. I'm sure most unionized employers are familiar with the fact that there is a long line of arbitral jurisprudence that talks about employee privacy in the workplace, and specifically whether it is an appropriate exercise of management rights to implement certain protocols. So that's also something you'd want to consider.

And the statutes that we're going to talk about today are really helpful in informing that analysis as well if you're looking to implement a program. So now I'm going to pass it off to my colleague Crystal to discuss what biometrics are.

I'm so sorry. I got that wrong. The other thing I wanted to say is that there are, in fact, signals from the privacy commissioners nationwide that there may, in fact, be statutes coming into place in the future. So this here is an excerpt from the news release issued by the privacy commissioners back in 2023, October. So this is very recent.

But the signal that they're giving us is that it is increasingly important to privacy commissioners, employee privacy in the workplace, and the privacy of young persons as we are entering this new era of remote working. And so this type of resolution that's been passed by the commissioners, while it is not binding on the provincial legislatures, it is very important to understand that this is a signal where they're telling the legislatures this is something you need to be looking at.

So we don't have any reason to think that this is going to leave the hot seat anytime soon. And, in particular, we do have also in the parliament, the federal level, the consideration of Bill C27 which, if and when passed, is going to be a complete overhaul of our existing privacy regime in Canada.

We also have considerations from abroad as well, such as the EU whose recently passed the AI Act. And so all of these other different jurisdictions are really making this a prime consideration and so we think that that's going to transfer over into Canada as well. And sorry, Crystal, I will pass it over to you now.

CRYSTAL PARK: No problem. So what are-- so what are biometrics? So biometrics refers to the quantification of human characteristics in measurable terms. Originally, the word biometrics meant applying mathematical terms to biology, but nowadays the term refers to a range of techniques, devices, and systems that enable machines to recognize individuals or confirm-- or verify an individual's identity.

These systems measure and analyze the physical and behavioral attributes of an individual, which can include facial features, voice patterns, fingerprints, palm prints, finger and palm vein patterns, structures of the eye, gait, and so on.

Many biometric characteristics can be highly distinctive, with little or no overlap between individuals. Also, certain biometric characteristics tend to be stable over time and difficult to alter, like your fingerprints and irises by contrast. Other biometric characteristics such as faces may change over time and can also be further varied through cosmetics, disguises, or surgery. Today biometrics are used for recognition and characterization.

There are three types of recognition biometrics. The first is morphological biometrics. This type of data is a measurement of an individual's physical characteristics. And examples include fingerprints, facial recognition, hand geometry, iris scanning, and vein patterns.

Behavioral biometrics, this type of data includes measurements of the way an individual moves and acts. This technology works in the background, continuously monitoring an individual's behavior so that when that person attempts to log in, for example, they will be recognized by the way they move and from the way they move. An examples include keystroke patterns, gait, voice recognition, and mouse usage.

The third is biological biometrics, where an example is DNA. Categorization biometrics, on the other hand, are used to determine if an individual belongs to a group with a particular shared characteristic. And the characterization is based on the biometric data itself or by drawing inferences from the data collected.

It is important to note that where biometrics are involved, it is personal information about an identifiable individual that is being collected. And personal information under the Canadian PIPEDA includes any factual or subjective information, recorded or not, about an identifiable individual.

Under the GDPR, personal data means any information relating to an identified or identifiable natural person who is called a data subject. In addition to being a personal information, the nature of biometrics are such that the personal information is also particularly sensitive because it is core to the individual. Can you go to the next slide.

There are three general stages that encompasses how biometrics are used to recognize an individual. And disclaimer that we are not software engineers. But the first is enrollment. This is the time where an individual's biometrics are collected. A scanner, sensor, microphone, camera, or other technology is used to capture the biometric. And the biometric recording is usually algorithmically converted into a mathematical representation known as a biometric template.

The second phase is storage. The biometrics obtained during the enrollment phase can be stored in the operations center where the enrollment took place for later use or on a device carried by the individual or in a centralized database accessible by one or more of these biometric systems.

And the last phase is matching, which is where a probe biometric is collected from the individual, and is usually converted into a template to allow for an automated comparison against the previously enrolled biometrics for the purposes of either authentication and identification. Can we go to the next slide.

So what is identification and authentication? So authentication is the process of matching an individual's probe biometrics to the previously stored sample only to confirm who they are. Whereas identification is a process of cross-referencing an individual's biometrics against a database to search for who they are.

It is evident that the identification process is usually more invasive. Generally, biometric systems use algorithms to perform a number of functions, including comparing to biometric templates together and to provide a similarity score. If the similarity score passes the set threshold of the system, a positive match is provided. These algorithms learn to perform these automated functions through the use of training data. Can we go to the next slide.

So how are biometrics currently being used? Well, there are many ways that biometrics are being captured. For example, fingerprint scanners measure electrical currents or emit ultrasounds that reflect the pattern of an individual's fingerprint. Facial recognition systems take a photo of a person's face and compare it to their own images of that person, the known images of that person.

Iris recognition systems take an image of an individual's eye using infrared light and compare it to documentation of the individual's iris. Vein pattern recognitions emit infrared light through a scanner to create an image of the veins inside of an individual's hand.

Speaker recognition system analyze a combination of the acoustics in an individual's voice, with additional characteristics like accent, rhythm, or vocabulary. In fact, we're going to be looking into a case study about voice recognition systems using the employment context shortly.

There's also gait recognition systems where they use cameras to monitor and analyze an individual's movement, such as their stride or cadence of one person's walk, to verify an individual's identity. As biometrics are a convenient form of authentication, organizations have implemented the use of biometrics in different ways, such as managing access to building facilities, unlocking IT assets and devices, and making certain payment through a smartphone.

Some other real world examples include employers use of biometric programs to monitor, record certain facts, such as monitoring employee attendance, movements, or retrieval of banking or health records. In one case where there was a complaint from-- there were complaints from employees by an Edmonton nightclub tracking the arrival and departure times of its employees.

The office of the information privacy commissioner of Alberta hired investigators. And they discovered that the system don't actually store employees thumbs or handprints. Instead, they measure features of a person's print and then convert the measurements into a unique number that can't easily be translated back into the image of the print. And the commissioner in Alberta decided that this particular practice was deemed allowed under Alberta privacy laws.

If you travel a lot to the US, for example, you can pass a NEXUS also use biometric systems that expedites border crossings between Canada and the US by allowing low risk passengers to authenticate themselves using retina and thumb print scans. The next slide.

So what are some issues with biometric systems? Well, biometrics are, for the most part, unique to the individual. However, as with all technology, it does come with risks so it is possible for threat actors to mimic, copy, or impersonate an individual's biometrics to fool the system.

A few examples include copying an individual's fingerprint with a master key synthetic fingerprint, using a photo from an individual's social media profile to trick a facial recognition system, capturing an image of an individual's iris recognition system, using contact lenses with a printed image of an iris, recording of an individual's voice and using voice morphing to trick a speaker recognition system by linking that individual's voice over the attacker's voice.

As there is more sharing of information on social media like platforms, threats arising from information obtained from social media sites that are shared publicly have also increased accordingly. So now Alycia will take you to the Telus case study.

ALYCIA RILEY: Thanks, Crystal. So the Telus communications case study I really love. It's a great case study for federally regulated employers, but also helpful for just generally understanding how adjudicators are going to determine what's reasonable when it comes to biometrics.

So to give you a factual background, in 2002, Telus introduced a new technology called E-speak to its operational practices. And E-speak used a voice recognition technology to allow employees of Telus to access and use their internal computer network by speaking commands through a telephone as opposed to using a designated computer terminal or having another employee access the network on their behalf.

And so as part of that E-speak technology to gain access to the system, there was a complimentary piece of software called Nuance Verifier. And Nuance used speaker verification technology to verify the identity of persons that were trying to access E-speak.

And how that worked was it was a voice authentication software that created individual voiceprints, which would then authenticate callers and customers with just their voices and thereby enabling secure access to the information.

So certain employees of Telus complained about the use of the E-speak and nuance verifier systems, and then subsequently filed a complaint with the Office of Privacy Commissioner, OPC. The OPC's investigation found that the collection of the individual's voiceprint was not well founded concern for privacy matters. In other words they said, we're not accepting that there's a problem here. But under PIPEDA, once you have a report from the OPC, it's open to you to then take that and go to the federal court level.

And what happens is presently it's not an appeal in the strict sense, it's actually a brand new hearing. It's called a hearing de novo, which effectively gives you a second kick at the can. And so the employees applied to the federal court seeking an order that would, amongst other things, prevent Telus from requiring employees to provide biometric information.

At the federal court level they also dismissed the employees' applications, and the employees then also appealed to the Federal Court of Appeal. We could go to the next slide, please. Thank you. So the federal court-- and this was a decision affirmed again by the Federal Court of Appeal-- but the Federal Court set out the following factors in evaluating whether an organization's purpose was what a reasonable person would consider appropriate in the circumstances.

And so those are the indicia that we have listed here on the slide. So we have the degree of sensitivity, the security measures implemented, whether the organization's purpose represents a legitimate need or bona fide business interest, whether the collection use and disclosure would be effective in meeting that need, whether there are less invasive means of achieving the same ends at a comparable cost with comparable benefits, and whether the loss of privacy is proportional to the benefits.

So Telus-- oops, sorry. No, if we could just stay on that slide. Telus was found to be reasonably forthcoming in its consultations with employees, and it was actively seeking consent from its employees. And so as a result, the Federal Court held that Telus had fulfilled its obligations under PIPEDA with respect to the implementation of the voice technology.

Now, under consent here, I've not listed anything because a general concept in privacy laws, you always need to have consent. So how was that looked at in this particular case? At the federal level or federal court level, I should say, the federal court found that Telus actually was subject to an unusual exemption under PIPEDA, which would allow it to collect personal information without individual consent if the collection was clearly in the interests of the individual and their consent could not be obtained in a timely way.

And the rationale there was that there was a vast majority of employees who had consented this wasn't an issue, and there were just a few employees who were adamant in their resolve to not provide consent. And so the Federal Court believed that the intention of that exemption under PIPEDA was such that you couldn't have a couple of employees stymie the entire efforts of the program when every other employee has consented.

However, the Federal Court of Appeal did, in fact, overturn that finding and said that exemption could not apply in the circumstances because this was not a case where the company couldn't obtain consent from the employees, it was that they tried to get the consent and the employees declined. So that exemption didn't fit there.

But this case, along with others, did, in fact, lay the framework for what would happen in the future. And as you'll see in a few minutes, there is now, actually, an exemption under PIPEDA for employee personal information that didn't exist at the time when this was first decided. So I believe things will now move on to the regulatory considerations. And I'll pass that off to my colleague Jasmine.

JASMINE SAMRA: Thanks, Alycia. So as Alycia mentioned, the privacy framework in Canada is really a patchwork with many holes. So we're going to start with the most prescriptive standard, and that's Quebec. So, so far Quebec is the only Canadian jurisdiction to enact laws specifically governing the use of biometric technology.

So Quebec has an act, and it's called the act to establish a legal framework for information technology. And this act permits and applies to the creation of a database containing biometrics or where you're using a biometric system for identification or authentication purposes.

And then sitting on top of that we have privacy law. And under privacy law, biometrics is considered sensitive personal information. So we've got two statutes that we have to consider in Quebec. So I'm going to go into how to implement biometric system, the requirements to implement a biometric system in Quebec. And fair warning, they're quite onerous requirements.

So first off, in Quebec you have to do a privacy impact assessment. So that's mandatory under the new laws in Quebec. And that applies for any project to acquire, develop, or overhaul an information system or electronic service delivery system.

It must be necessary to collect the biometric data. So the fact that it's more convenient and is not a justification to the need to collect it. The purpose must be important, legitimate, and real. The data collection must be proportional to the use. So, for example, could you use one fingerprint rather than five fingerprints from the hand?

We've got also a couple of decisions in Quebec by the privacy regulator. So for one example was a hotel implemented a biometric time clock system to improve the efficiency of the payroll process. The company estimated it saved over 400 hours per year switching to this new biometric system.

The Quebec privacy regulator agreed that the purpose was legitimate and stemmed from a real problem. It, nonetheless, concluded that the organization did not demonstrate that this purpose was sufficient to justify the collection of biometrics.

The regulator also found that even if the purpose was sufficient, the invasion of privacy was disproportionate to the purpose given the sensitivity of the nature of the biometric information. The Quebec regulator also noted that there were alternative software available that could automate the payroll process without collecting the biometric information. So the organization was ordered to ceasefire its collection and destroy the database.

In Quebec you need to obtain consent before collecting biometrics. I know the Quebec regulator has a template available on its website. Alternative methods must be provided to an individual if they refuse to provide consent to their biometric.

ELISA SCALI: So, Jasmine, I have a question for you. Although biometrics in the workplace might be legal and appropriate in some cases, would you say that it's not really a one size fits all solution?

JASMINE SAMRA: No, because you do have to provide alternatives to folks that don't want to consent. So that might be providing two factor authentication or specific password or a token. And it's not as easy as just rolling it out for all employees.

ELISA SCALI: Thank you.

JASMINE SAMRA: If we could get to the next slide. Thank you. So employers have to minimize the invasion of privacy and implement appropriate security measures to protect the biometric information. As I mentioned, Quebec has the act to establish a legal framework for information technology. Under that act you have to notify the Quebec regulator prior to using any biometric technology to verify or confirm an individual's identity.

And then if you create a data, a bank of biometric characteristics-- so any sort of database-- you have to declare with the Quebec regulator at least 60 days in advance, you have to destroy the biometric information once it's no longer useful, and you have to allow employees to exercise their data subject rights.

As Alycia mentioned earlier, Quebec has undergone privacy reform, and there are now administrative fines and penalties in Quebec. So administrative fines are the greater of 2% of global revenue or $10 million, or for even serious contraventions or greater fines of greater of 4% or 25 million. So something very akin to what we see in Europe.

So if you are looking into implementing a biometric system in Quebec, you have to tread very carefully. Also, my colleagues in Quebec have indicated that when they have been filing these declarations, they're getting a lot of questions back from the Quebec regulator as well as investigations. And this is a really sensitive topic with the Quebec regulator. It's on its hit list of priority so tread lightly when you are looking into implementing a biometric system in Quebec.

And the next-- if I can just look to the next slide. So, again, then for employees, they have the right to refuse collection, so they have to be allowed to provide their consent freely. And they can withdraw that consent any time. They have a right to access their biometric information, they have a right to correct their information if it's accurate and complete or incomplete.

ELISA SCALI: And another question. And this is for the group. Let's assume that the employer has done its due diligence. They determine that they do want to proceed with biometric data collection. How would you recommend rolling this out and notifying the employees that you're going to be using this data collection method?

JASMINE SAMRA: So great question. And I always recommend at least to do like a trial or like a small pilot project first and get folks-- getting employees to know about it, and pre-launch with consultation with the employees and with the union, and to give employees a sense of empowerment by involving them in the process. Talk to them about the types of biometrics that could be collected, see what they feel is less invasive, and providing a couple of options that would meet-- would be sufficient to meet the business needs.

ALYCIA RILEY: And, certainly, you would want to make sure that you've got the statistics or the business rationale to back up what you're going to be proposing because if you don't have the quantitative means to show why this is the best way forward, I think you're probably going to run into a little bit of resistance on the implementation.

CRYSTAL PARK: It's also very important to recommend implementing a policy if there already is not one, where it explains the employee privacy rights in a straightforward manner, and also-- as we've already discussed-- what the alternative would be if the employee is not willing to provide their biometrics.

ALYCIA RILEY: Yeah. And the other thing you may want to consider is thoroughly canvassing like cybersecurity measures. Like if you're going to be collecting this information, where is it going to be stored? How is it going to be stored? Is it going to be encrypted? All of those things that you want to make sure you're aligned with your IT group on so that you've got all of those items figured out before you implement it.

JASMINE SAMRA: All right, so maybe we can move on to the next slide. So as Alycia mentioned earlier, we've got Alberta BC-- sorry, Alycia mentioned earlier there was a new-- a change in PIPEDA that-- and we see that similar language in BC, Alberta, and PIPEDA.

And so, basically, there is a carve out from consent for employees in Alberta, BC, and federally regulated undertakings. So that would be banks, telecoms, airports. And so if you are collecting the personal information for the sole purpose of establishing, managing, or terminating an employment relationship, or managing a post employment relationship, you can collect and use the information of employees.

And you just need to-- you don't need consent, and you just need to ensure-- in Alberta and BC you have to ensure that it's reasonable and that you have to also provide notification to employees for the purpose of the collection. So this is what BC-- the language in BC's legislation, what employee personal information is defined as. If we skip to the next slide, you will see Alberta has similar language.

And then if you skip to the next slide, we have what we have in PIPEDA federally, and very similar language. So, again, if the use-- collection use or disclosure is necessary to establish, manage, or terminate the employment relationship, you really just need to provide notice.

ELISA SCALI: And another question for you. Can you share your thoughts on whether an employer can rely on the provisions in the federal BC and Alberta statutes as a way to get around the consent requirements?

JASMINE SAMRA: You need to really lay the groundwork to prove that it's necessary. And it's debatable whether it's reasonably required for the purpose of administrating, managing-- or managing the employment relationship. Again, it's going to depend on the context. Like what are you trying-- what is the business rationale and what biometric modality you're using. I'm going to turn it over to Alycia because I know there's a recent arbitration in BC, and she can maybe discuss that a little bit to give you a bit more context.

ALYCIA RILEY: Yeah. Thanks, Jasmine. So the decision that Jasmine is referring to, it's a 2023 decision out of British, Columbia Canadian Forest Products. And in that arbitration award, it involved the use of a technology called Kronos Touch ID. And the union grieved that the implementation of the technology was contrary-- again, this being in BC-- it was contrary to PIPA, which is the Personal Information Protection Act, as well as the collective agreement, because they said it was an unreasonable exercise of management rights.

And so the Kronos Touch ID was being used by the employer to integrate, modernize its timekeeping, its attendance management, and its payroll, to verify employee time and attendance, improve accuracy and transparency in timekeeping, and increase the operational efficiency. So the system that they had had in place before was essentially a good faith reporting of the supervisor who would happen to see when the employee showed up for work.

And so in the analysis, there wasn't any dispute that the collection of the thumbprint was a collection of biometrics information. There wasn't any dispute that this constituted employee personal information, which is the definition that we just looked at a couple slides ago.

Now, without a lot of discussion, the arbitrator actually found that those purposes-- the timekeeping and administration of payroll-- those purposes were actually found to be reasonably required to establish, manage, or terminate the employment relationship, which is great news for employers in BC. That means that you could, in theory, collect biometric data and implement this by just providing notice to the employees as opposed to having to seek out their consent.

But what you do need to keep in mind-- and this is what the award also still had to consider-- is that is still subject to the determination of whether the collection and use was reasonable in the circumstances. So there is this overriding-- regardless of whether you are required to have consent or not, there is still an overriding requirement for reasonableness. Which means, would a reasonable person consider this appropriate in the circumstances?

And so in that case, the arbitrator applied a decision of the BC privacy commissioner. It's known as the Schindler factors. It's been used subsequently in both privacy and arbitration decisions since then. But it takes us back to that same framework we were looking at before. So we're looking at sensitivity, the effectiveness, the manner of collection, the availability of alternatives, and the potential offense to the employee's dignity.

So we have quite a few different ways of assessing this. But, again, we could be able to rely on these exemptions in the future but you still need to undertake that analysis because if you do have a complaint, you're going to need to have the rationale to back up all of these factors.

JASMINE SAMRA: Thanks, Alycia. So I think we'll move on to the next slide. And we're going to talk about some recent guidance from the OPC, which is the Office of the Privacy Commissioner of Canada. So last fall, the federal privacy commissioner launched a public consultation on new draft guidelines on biometric technologies. It was open for feedback from organizations and industry stakeholders,.

And that feedback closed this February so we'll be waiting to see what these new guidelines look like. But we have the draft, and I'm just going to highlight some of the requirements under the draft. Again, we see a lot of overlap with the requirements in Quebec and some in the case law that Alycia just discussed. It's not as prescriptive as Quebec yet, but, again, we start off with consent unless you have an exception to consent, and a consent should be informed.

The privacy commissioner has listed a number of no go zones, such as collecting, using or disclosing personal information or biometrics that is otherwise unlawful, or if your profiling or categorization of individuals that leads to unfair, unethical or contrary to human law-- human rights law. So organizations should provide alternatives to individuals, so not everyone should be forced into providing their biometrics.

And so we should also-- organizations should all limit the collection. So biometric information must be limited to what is necessary for achieving the stated purpose. Organizations should use authentication for identification, as Crystal mentioned earlier, and you should use the minimum number of biometric characteristics needed.

And there's other methods like, do you really need to keep a copy of an individual's ID when you've got their biometrics and you've confirmed their identity? So that's something that could be destroyed. You also need to limit the use, disclosure, and retention. So organizations should only use biometrics for the purposes which it was collected for.

So you shouldn't be analyzing biometrics for a secondary purpose, you should only allow individuals who need access to the information to have access. You should delink the biometric database from other systems. So it should be separate and not linked to other personal information. You should limit the retention and, again, destroy the raw biometric data used to create the template.

You also are required to have safeguards in place. So organizations need to use physical, organizational and technical measures to safeguard against different types ways a breach could occur. And you have to include controls for personal access as well as technical requirements. So, again, because we are dealing with really sensitive personal information, those safeguards should be at the highest available.

And then accuracy is really important. So organizations should consider the biometrics are really fit for the purpose and choose a technology with a suitable accuracy rate and ensure accuracy at enrollment. If we can move on to the next slide.

So organizations are held accountable for any personal information they collect. And that's under their control. So if you are using third parties to assist in the process of personal-- processing of personal information, you are the accountable entity. So you have to ensure that any third party vendors you're using, you have appropriate contracts in place or other means to ensure that these third parties are implementing a comparable level of privacy protection.

ELISA SCALI: And with respect to the third party providers, can you expand on how that would work if the employer wanted to use a third party biometric provider.

JASMINE SAMRA: Sure. So it really means you need to do your due diligence. And we mean do your due diligence. You have to go through their security requirements that they have in place. You'd have to audit any contractual provisions.

So you should have contractual provisions in place with them to ensure that there's a comparable level of protection, make sure you know where the information is being transferred, check their privacy policies, their terms of use. If they're using any other subprocessors, ensure they're not using the data for any other purpose so they can't sell or share that information for any other to a third party.

ALYCIA RILEY: And I would say, like, I know it's-- I've had a couple of clients who will show me like, hey, we've got this technology. We want to use it. What do you think? And we go to the provider's website or I'm trying to assume the role of an employee, so I'm going through the app or seeing how it's all going to work. And there's no privacy policy or there are no terms of use.

So as the employee, that doesn't give me any comfort as to what is going to happen with my information. It goes somewhere presumably into the cloud and then where? Where is it stored? Is it encrypted? So if you can do all of that homework in advance, again, that's going to really help with the uptake of the technology because then you'll say this isn't meant to scare you, this isn't a big brother thing.

This is we've thought all of this through, we've done our due diligence, we know exactly where this information is going to be transformed, how it's going to be stored, it is going to be encrypted. So everything that you can do to provide that additional comfort to your employees is going to really help make them feel comfortable with the process.

JASMINE SAMRA: Yeah. And at the end of the day, you're responsible for that-- the biometrics. So it doesn't matter if you've outsourced it. So you have to just make sure that you've got safeguards in place. So we're going to move on to openness.

So organizations have to be transparent and open with their employees about how their personal information is used. So this is really achieved by providing information like privacy notices, informing individuals about the specific use of the biometrics, and providing a contact information to allow people to get more information, ask questions, and feel more comfortable with the use of biometrics.

And while organizations are required to evaluate whether the purpose of the biometric initiative is appropriate in the circumstance, the federal privacy commissioners warn that the appropriateness requires a contextual assessment. And you can't just-- it can't be replaced with by just obtaining consent of individuals.

So when identifying an appropriate purpose-- so similar to what Alycia discussed earlier-- you have to really look at the sensitivity, necessity, effectiveness, proportionality and whether it's minimal intrusiveness. And so I think next we're going to drill down on those five areas. So if we can move on to the next slide. Thank you.

So sensitivity of biometrics. So generally biometrics are considered sensitive information, but some biometrics may be more sensitive than others. And you have to figure out which biometric is suitable, which biometrics-- or which biometric modality is suitable for your purpose and that it presents the least risk to individuals.

So the sensitivity of information on its own will not determine whether an organization is justified in collecting, using or disclosing the information, however, the more sensitive the information is, the greater the justification by the organization it is for why they need to require it-- or why they need to collect, use or disclose it.

ELISA SCALI: So if you had to rank in order the different forms of biometric data from most to least sensitive, could you share that with us?

JASMINE SAMRA: Yeah, sure. Great question. So DNA would be the most sensitive. There's really no reason why an employer would need a DNA. Facial recognition, unless an employee chooses to opt into something like FaceTime, there's really no good reason for using the physical face, facial recognition because it's highly sensitive and it's really very personal.

And then we've got iris scans. And that's something that Crystal was discussing earlier. They're somewhat invasive, but not as invasive as the whole face. But with IRAs scans you can see whether someone has a certain disease so it can be a bit more intrusive. We have also--

ALYCIA RILEY: I'm sorry. I was going to say, just to touch on facial recognition because I know we had a Q&A about passwordless entry using the face. So Jasmine, correct me if I'm wrong but my sense of that is the information is not being shared with the employer. It's not leaving that individual's personal device. So that makes it a lot more permissible even though we're capturing the face but it's not being stored anywhere else. It can't be used by the employer in a different context. So my sense of that would be that it's more likely to be permissible in that context.

JASMINE SAMRA: Yeah, so that definitely decreases the invasiveness, the fact that the employer can't access it, it's on your device. And so localizing where it's stored really helps versus creating this massive database. And employers don't really want to do that because if you do create a massive database, you're very susceptible to breaches.

And if you have a breach of biometric data, that's going to cause a lot of harm to folks. So I would recommend staying away from that as much as possible. And we also have fingerprint scanning, and then palm vein scanning would be less. And then voice recognition, as Alycia mentioned in the case study, would be the least or would be less invasive.

ALYCIA RILEY: And just going back to that Canadian Forest Products case that I was talking about earlier, we have this hierarchy but even to the question in the Q&A, how that biometrics data gets transformed or stored once it is collected will also have an effect on the sensitivity. So, again, with the facetime, it's not being collected and going directly to the employer, it's not being saved on their system. So, really, it stays local.

In the Canadian Forest Products case, there was the collection of a fingertip image, but as Krystal mentioned, more often than not, that gets converted. So it gets converted by mathematical algorithm, I guess I'll call it. Sorry, I'm not very techie, but it does get converted. And so you're not storing that original thumbprint, right.

And in that particular case, the ability to reverse engineer the touch ID print back into the original fingerprint was pretty much impossible. So in the event of a data breach, you've got some information that would be less likely to be used maliciously by a threat actor. Potentially could get you into the system but that broader risk would not be there. That's another consideration.

JASMINE SAMRA: You had the original fingerprint saved in the system, and then that could be used for multiple other uses. So that's the kind of things you have to think about. Let's move on to the next slide. We'll talk a little bit about necessity, which is a good segue to what we were just already talking about.

So you have to demonstrate that your organization's biometric program is necessary to meet a specific and legitimate need. And you have to figure out why a non-biometric option may not be sufficient. So if your underlying business rationale is to increase convenience, that's not going to work. It has to be, really, a real business need.

So, for example, you don't need biometrics to enter into your fitness club. Like a swipe card or some sort of token would work. So you really need to consider what the rationale is connected to the business goal, and this should be documented.

ELISA SCALI: So I have a question about two factor authentication, which we've heard about already during the presentation. Can you explain what two factor authentication is and why that is also often sufficient and would render the use of the biometric data unnecessary or inappropriate.

JASMINE SAMRA: Yeah, definitely. A great question. So for two factor authentication, it's really a method of having something you know and something you have. So basically you combine these two distinct forms to verify you to make it more difficult for unauthorized individuals to gain access.

So something you know is usually like a password or a PIN or a security question, something you have. Could be like your physical device such as your smartphone or a token. So a good example, we see a lot of two factor authentication for online banking. Like you sign in, you enter in your password, then you get a text to your phone with a code, and then you enter in the code to then get access to your bank account.

And so this a lot of times is sufficient to meet the needs of security and making sure unauthorized users are not able to access it. Because if it's just a simple password that someone could guess, there's multiple breaches where passwords are been leaked everywhere. And so this helps with that.

And so, for instance, do you really need my fingerprint for me to enter my laptop or would two factor authentication be sufficient? And a lot of times two factor authentication is sufficient to meet the need of security. So let's move on to effectiveness. So if we could go on to the next slide.

So you have to ensure that the proposed biometric program or initiative will be effective in meeting the goals identified. So there should be a really high degree of confidence that the biometric program will be effective and reliable as a whole, and you have to have a plan on how you're going to measure the effectiveness of the program.

So it has to be designed to effectively address the issues for which it's deployed. And you have to consider the scientific and technical validity, the accuracy of the technology, error rates, and the risks of biometrics could be circumvented.

ELISA SCALI: Jasmine, can you help us understand how an employer can assess the liability of the particular form or system of biometric data collection that they want to use.

JASMINE SAMRA: Yeah. So there's a lot of technical tests you can do. So I'll just mention a couple like false accept rate, which is how the system incorrectly identifies an unauthorized user as authorized, and then false reject rate, which indicates the likelihood that the system wrongly rejects an authorized user. And so the more accurate system would have low false accept rate and low false reject rate.

So there's a technical component, but you also have to ensure that the biometric program is meeting your goal. So the federal privacy commissioner has a decision on where the company that does the test taking for the LSAT was collecting thumbprints. And the whole purpose was to deter proxy test taking, but through the investigation, the company never used the thumbprint to ensure it's the right individual. So it was just an unnecessary collection of biometrics.

So that's also part of it. Like you might have this rationale, oh, we're going to use it for this purpose, but then at the end of the day, if you're not using it for that purpose, you're going to get yourself in trouble and be offside. If we could flip to the next slide.

So proportionality, so you have to assess whether the program or initiative is proportional to the benefit to the company. So is there a more effective way of achieving this through biometrics other than biometrics that's less intrusive? And, again, this is like, do you need a whole hand finger-- all the fingerprints or is one thumbprint or half a thumbprint enough?

So because the loss of privacy with the result from handling of biometrics is really high, so you have to be cognizant of the significant impacts on individuals. So when you're implementing technology, you have to ensure that there's a-- excuse me-- protective measures to mitigate any impacts on privacy. So if we could flip to the next slide.

And so the last one is you have to assess whether there are less intrusive means of achieving the purpose other than through the collection use or disclosure of biometrics. Is there evidence that other less privacy intrusive means can achieve the same purpose? Again, can we use two factor authentication?

A biometric initiative is deemed more convenient than alternatives won't meet this requirement. And so you have to also look at what steps you can take to reduce the privacy intrusion as much as possible and, again, look at whether use all sensitive biometrics or whether there's a way to limit the amount of biometrics you need for the program. And I think that's it on my end. And we're going to flip to our last slide.

ELISA SCALI: Can I just ask a question before we flip to the last slide on minimal intrusiveness? Just going back to the Canadian Forest Products arbitration award, how did the arbitrator look at that issue of minimal intrusiveness in that award?

ALYCIA RILEY: So the union argued in that case that the employer Can For hadn't reasonably considered alternatives. And the union proposed quite a few different ones, but it was a bit of a spread out workforce. So, for example, one of the things they considered was like two way radios between a worker and the supervisor to say, hey, I'm here at work. You can clock me in, things like that.

The union also said that the employer hadn't established any persistent issue with respect to, for example, buddy punching. And so I was actually pleasantly surprised as employer counsel to read this but the adjudicator said, the employer doesn't have to prove the existence of a substantial problem to justify its collection and use of employee personal information.

We can contrast that with something like drug and alcohol policies where the case law says if you're going to implement that, you do need to, more likely than not, have evidence of a substantial problem in the workplace. And so when the arbitrator was considering the cases and the alternatives that were cited by the employer, it was they had been at least some evidence called to show that there was a problem or that there was some evidence the employer had considered alternatives and found them to not be sufficient in the circumstances.

So there was a comment from the arbitrator that the employer's evidence on that point could have been better, but overall, balance of interest. The arbitrator was satisfied that, OK, you did actually consider some alternatives.

I'm satisfied that you were considering issues of things like buddy punching, which under their existing system-- which was basically a good faith reporting by the supervisor-- well, if that's your existing system, you can't have any established evidence of buddy punching because it just-- that's never the way it was done before.

So balancing all of those systems, the considerations, I should say, the arbitrator was satisfied that there was enough there to show that this was a minimally intrusive approach. And then given the size of the worksite, the nature of the operations-- because this was like a forestry industry-- the nature of the alternatives that were proposed by the union were just simply not going to be as effective.

So there was a bit of a, I'd say, a practical approach by the arbitrator in saying like, yes, this would work in theory but operationally this is the better way of doing it. So if the alternatives exist, an organization should consider them, document them. But that doesn't mean that just because those alternatives exist, that completely takes away your right to implement biometrics. But, certainly, if you have a complaint or you're subject to an audit, you want to make sure that you've undertaken that analysis.

JASMINE SAMRA: And I would just add, if you do actually have an issue that always bolsters the need for the biometrics, so it is a balancing act where you have to weigh the needs of the company and the invasion of privacy on the individual. And it's a bit of a balancing act. So the more arguments you have for implementation, the better. OK, so I think that takes us to our next slide. And we've got some best practices for the future. I'm going to maybe turn it over to Crystal to kick it off.

CRYSTAL PARK: Yeah. So for best practices, the first-- we've discussed this-- that would be to identify the business purpose as to why biometrics are being collected or the systems are being used. And documentation is key. It's very important. The second is to examine all relevant legal obligations and authorities, depending on which jurisdictions you fall under.

We've touched upon it with respect to the patchwork of legislation that's applicable with biometrics, whether it be federal, provincial. And a key takeaway from this presentation should be that Quebec is stringent so it would be really important to examine all the legal obligations and authorities. You would have to also respect key privacy principles, of course. And we didn't talk about this as much but also conduct a privacy impact assessment for any systems that you are planning to implement.

ALYCIA RILEY: And I'll let Jasmine talk about this a bit more as well but the privacy impact assessment is a requirement in Quebec, but it really incorporates, I would say, a lot of the principles and concepts that we've discussed today. It kind of takes you through it in a more structured format so that you are, in fact, documenting all of those considerations that you've undertaken. Sorry, go ahead Jasmine.

JASMINE SAMRA: I was just going to say in the jurisdictions where it's not mandatory, it is really best practices. Especially for something like biometrics, you're dealing with really sensitive personal information. And the privacy impact assessment will walk you through all of the elements we have discussed today, as well as help you figure out ways to mitigate the risk to individuals and mitigate the risk with the implementation of a biometric system.

It's also helpful when there's an issue or a complaint, you can show that you've really walked through the process and really made considerations. And the use of a privacy impact assessment is very helpful because you can always hand that over and say, here's our privacy impact assessment, this is what we looked at in case a regulator-- there's a complaint to the regulator.

ALYCIA RILEY: And I think the commissioners have templates online. Is that right?

JASMINE SAMRA: They do but it's because it's mandatory for public entities, but they are very good starting points. And there is information for private corporations on the various regulators' websites. But in Quebec there is guidelines on PIUs because they are mandatory. Unfortunately I think it's in French, but we do-- we have a great team in Montreal that does them all the time.

ALYCIA RILEY: Yes, we do. I just want to say our team in Montreal has published some fantastic materials on biometric collection. They have a wonderful chart. If you're interested in visiting our website, you can download it. It's really, really thorough. And, of course, if you have any further questions, we'd be happy to put you in touch with them.

So just to go through these other ones here, so identifying why other options are insufficient. So, again, looking at-- I think this would depend in part on what it is, like what is the purpose that you're going to use it for, right. Accessing your computer, MFA probably sufficient. Is that necessarily going to have the same effect for preventing buddy punching? Maybe or maybe not. So it really will depend on why you want to implement this system.

When you've decided that you want to, you need to identify which third parties are you going to contract with, what are the cybersecurity measures that you need to have in place. Making sure that if you are contracting with a third party, they're taking the protection of this information as seriously as you are.

Consulting with internal stakeholders. Again, if you do have a union, your collective agreement may or may not obligate you to have prior consultation with them. Some collective agreements just require notice, but certainly you want to make sure that all stakeholders who can and/or should be consulted are consulted.

And then once you've got a good sense of how this is all going to work, you want to test out your employee management information practices. So that goes into really evaluating the entire system, making sure that you've got those things covered off in advance. Ideally, as Crystal mentioned earlier, you want to have a privacy policy in place as well, which will help then in the future inform your process for collection, use disclosure, retention, safeguarding, all of those things.

JASMINE SAMRA: Yeah. And so, again, as we talked about, you have to communicate. One of the privacy principles that our laws are based on are being open and transparent. So consult your workforce, get them involved early on, and get them-- help them understand why you want to implement this system and how you want to use it.

Obtain consent in the jurisdictions you need to. And for all jurisdictions, you do really need to provide some sort of notice. As well as have someone available to answer questions, whether it's your privacy officer or another individual who's engaged in the project. You have to reassess your practices and make adjustments. So it's not a one and done situation where you roll out the biometrics and then never look at it again.

So you'd have to constantly make sure it's really fit for purpose, you're not over-collecting personal information. Maybe new technologies come out that now you don't really need the biometrics, so look to see as technology is moving so fast. As well as it's not just about how you implement it.

If you are also using third parties as we discussed, you are responsible. So audit those third parties, make sure that they've got the appropriate safeguards in place, that they've got limited personnel having access to the biometrics.

So that's really important because I think a lot of times we put these audit rights and contracts and they don't actually-- are not used in practice. And then lastly, consult with counsel as you need. And we're here if you have any questions. And check out our website, we've got lots of material. As Alycia mentioned, there's lots of material from all of the developments in Quebec. We've got fantastic flow charts, as well as articles on the privacy reform that's happening federally.

And one of the big pieces with the privacy reform federally is there's going to be administrative penalties similar to what we're seeing under GDPR, what Quebec already has. Alberta is looking at reform in Alberta and potential penalties. And I'm sure BC will be along shortly after as well. So this is an area that's becoming very hot, and you have to be very mindful of the potential fines because it's no longer just reputational damage. There's really impact to the business with these large fines, and we've seen in other jurisdictions.

ELISA SCALI: Thank you. So we have one question in our Q&A, so I'd like to pose that one question before we conclude the webinar. And that question is, if an employer decides to enable biometric authentication on its laptops, do they need to notify Quebec CAI even if the data will be stored in encrypted form, the data will not be accessible to either internal teams or any third party service providers, and the use of biometric functionality will be voluntary for all employees.

JASMINE SAMRA: So for Quebec I would say, yes, you most likely do have to register as soon as you're collecting it for identification or verification or if you create any sort of database, biometric database. So if it's just pictures, that wouldn't be considered a database of biometrics because they're static. But any sort of biometric like your fingerprint or facial recognition, that would fall under the Quebec regime and you are required to declare to notify the regulator in Quebec.

ELISA SCALI: Thank you. So we don't have any other questions so that will conclude our webinar for today. I'd like to Thank our speakers. That was very informative. And if you have any questions related to the webinar or any questions related to cybersecurity and privacy, please do not hesitate to reach out to Jasmine, Crystal, or Alycia.

Our next webinar is set for June 19, so please stay tuned for more information to come on that webinar. Now, your feedback on these webinars is very important to us, so I'd like you to take a few minutes, if you have today, to complete our survey. It's very brief.

If you just take a screenshot of that QR code on your screen, it'll take you to our survey. Tell us what we did well and where we can improve, and we will try to implement those changes to make these the best webinars possible. So I would like to thank our speakers again, and I'd like to wish everyone a very wonderful day. Thanks.

ALYCIA RILEY: Take care, everyone.

JASMINE SAMRA: Thank you.

[WHOOSH]