Employee Privacy and Physical Access Control Systems

KCarroll's picture

For the past four years, HID Global has been working to educate policymakers about RFID technology and address the concerns they have raised about its potential impact on privacy rights.

Despite these efforts, anti-RFID legislation continues to be introduced in state legislatures nationwide.

Some legislation would ban the use of the technology in such applications as access control systems. In other cases, the legislation would require employers to label each access control badge with a warning that the badge contains RFID technology. Some state legislation even goes so far as to give employees the right to refuse to carry an access control badge that uses RFID.

Smart cards have not been exempted from the proposed bans or regulations because definitions of RFID often include the phrase “any technology that communicates via radio waves,” thus implicating smart cards. The good news is that, to date, the most onerous legislation proposed has failed to pass.

Thus the RFID industry and users of the technology have an opportunity to avert a legislative solution and benefit in other ways by taking steps to address privacy proactively. For example, employers that use RFID-based access control systems (PACS) can better protect employees’ personally identifiable information (PII) and reduce their potential exposure to liability.

First and foremost, conducting a privacy impact assessment (PIA) can help determine where privacy might be implicated in the deployment of a PACS. To view an example of how to conduct a PIA, The Department of Homeland Security is a great place to start. By asking questions about how PII is collected or used in a system, users can decide whether the PII is needed and if it is, how best to protect it.

A PIA might reveal that PACS databases often contain PII if information such as an employee’s home address, telephone number, car license plate number, or the like is included. Following some basic privacy principles can help avoid problems or liability:

• Minimize use of personally identifiable information (PII)
• Limit the length of time that data is retained
• Use available technology solutions such as encryption to protect PII
• Control access to data collected (clear audit trail if there is a breach)
• Establish mitigation procedures if a breach occurs

Beyond PII, PACS raise a potential privacy concern with the ability to monitor employee movements. For example, when an employee arrives in the morning, leaves for lunch or goes home at the end of the day. The key element to remember is that any monitoring should be based on a legitimate business justification, and in most cases, limited to work hours. If the system is to be used for monitoring location, employees’ written consent should be obtained before any monitoring takes place.

Because smart cards are facilitating the convergence of physical and logical access control, understanding the privacy concerns associated with such use can help companies avoid any pitfalls. Creating a privacy policy for both the employer and the employee can help drive awareness and compliance with the principles outlined here.

Communicating those policies and routinely reiterating them can help protect both the employer and the employee. The policy should be signed by each employee and then placed in employee’s personnel file. Protecting employee privacy is a sound business decision that can create goodwill and promote employee satisfaction.

Disclaimer: The information presented here is for general privacy awareness only. In specific cases, it is best to consult a qualified attorney.