Global Compliance Desk – Quebec

Quebec: New Guidelines Regarding Biometric Time Clocks in the Workplace

Recently, Québec’s privacy regulator, the Commission d’accès à l’information (the “CAI”) published its observations (available in French only) on the trend among organizations to use biometric time clocks to monitor and manage employee hours and payroll. The CAI stated in the observation guidelines that, in most cases, workplaces’ use of biometric time clocks do not comply with applicable privacy legislation. The CAI has based the Guidelines taking into consideration the current as well as the upcoming amendments to the Protection of Information Laws. 

The Act to modernize legislative provisions as regards the protection of personal information, as regards the protection of personal information (”Bill 64”), brings significant amendments to the –  

• • Act respecting access to documents held by public bodies and the protection of personal information.
  • Act respecting the protection of personal information in the private sector.
  • Act to establish a legal framework for information technology.

Majority of the modifications introduced under Bill 64 will enter into force on September 22, 2023 which includes –  

• • • Establishment and publication of governance and confidentiality policies.
    • Privacy impact assessments.
    • Updated consent requirements.
    • Monetary administrative penalties and penal sanctions.
    • Disclosure regarding automated processing.
    • Use of information to identify, localize or profile an individual.
    • Default parameters to protect confidentiality.
    • Anonymization of personal information.

This blog provides a guide to the current legislation and CAI guidance surrounding biometric time clocks in Québec. It shall also emphasize in detail the upcoming changes in the legislative framework of Private Information Laws and how CAI is implementing those changes.

Legal Requirements Prior to Establishing a Biometric Database 

In Quebec, the current Act to establish a legal framework for information technology requires that the creation of a biometric feature or measurement bank for the purposes of identification or authentication be disclosed to the CAI no later than 60 days before it is put into service. Organizations are therefore required to make a timely declaration to the CAI regarding the use of biometric time clocks. 

Biometric time clocks are devices used to identify employees and track their work hours using an employee’s biometric information, such as fingerprint, palm, facial or iris scan. Biometric scans are generally considered by employers to be quick and reliable means for tracking employees. Unlike access cards or entry codes, an employee’s biometric information cannot be borrowed and swiped by other employees, nor can it be forgotten or misplaced. However, since biometric data is “distinctive, unlikely to vary over time, difficult to change and largely unique to the individual”, it is also considered highly sensitive.

Employers must obtain consent from employees prior to collecting biometric information or implementing a biometric system. In particular, the CAI has published a consent template (available in French only at this time) that organizations can use and adapt to their own specific needs. Employers must provide consent forms containing the necessary information to their employees to obtain their express consent which must be free, informed, and time-limited.

The CAI states that, even where consent is obtained from employees, an organization must be prepared to demonstrate why it is necessary within the meaning of the Act respecting the protection of personal information in the private sector to implement and use a system that collects biometric information. In other words, consent is not a substitute in the absence of necessity.

Criteria to Determine if the Use of a Biometric Database is Compliant With the Law

In accordance with the Act respecting the protection of personal information in the private sector, employers are required to undertake an assessment of the circumstances and issues that led to the decision to implement a biometric time clock. The CAI indicates that typical management objectives (e.g., improving the efficiency of payroll management through automation, using the same system as other branches of an organization, avoiding loss and breakage of magnetic access cards, etc.) do not reach the level of importance to justify the collection of such sensitive information. The CAI will look for real and documented evidence of a serious issue that cannot be resolved without resorting to biometrics.

Employers are required to ensure that the assessment is well documented. If in case the CAI requires further investigation or has complaints, the assessment will allow the organization to demonstrate that, it has carried out a rigorous assessment and meets the above-mentioned criteria.

Once the employer concludes that the purpose for gathering the biometric data is important and legal, the method of collection and the content of the data collection is proportionate for achieving that purpose. According to the CAI, for the collection of biometric information to be a proportionate means of achieving the organization’s purpose:

• • • the use of a biometric time clock must be an effective way to achieve the objective (rational link);
    • less intrusive means of achieving the desired objective must be given priority, minimizing collection in the absence of other means; and
    • the benefits of using a biometric system must outweigh the infringement of employees’ rights and the adverse consequences that may result from the implementation of such a system.

Even if all the above criteria are met, employers must finally respect the right of employees to refuse to have their biometric information collected by seeking express consent and providing an alternative to the use of a biometric time clock. This is considered a key element of free consent by the CAI as illustrated in its Draft Consent Guidelines published on May 16, 2023.

Consequences of Failing to Comply with the Legislation

Failing to comply with the legal requirements and the CAI’s guidance will expose organizations to serious financial consequences.

Effective September 22, 2023, Bill 64 (Act to modernize legislative provisions as regards the protection of personal information), shall empower the CAI, to have the ability to impose significant administrative monetary penalties of up to $10,000,000 or 2% of the organization’s worldwide turnover to any organization. In addition, the CAI will also be able to impose penal fines up to the greater of $25,000,000 or 4% of the organization’s worldwide turnover. (reserved for egregious offenses).

Furthermore, individual employees can now bring a private action against an organization for damages resulting from the unlawful infringement of the right to privacy.

Steps for Compliance

Employers considering tracking their employees’ time using biometrics in Québec must be careful. To reduce risks to the organization from possible complaints and fines associated with the misuse of biometric information, it is important for organizations to stay up to date on requirements set out in legislation and CAI guidance.

From a compliance standpoint, in addition to the requirement to give notice to the CAI, before implementing biometric time clocks or similar systems using biometric information in Québec, employers  must:

• • • Figure out the purposes for the implementation of such systems;
    • Document any issues or problems to be remedied by their implementation;
    • Evaluate the situation and ensure that the defined objectives are real, legitimate, and important enough to account for the collection of sensitive biometric information;
    • Check that are no other, less intrusive means to achieve the objectives; 
    • Weigh the pros and cons of the method on the employees including the risks of their biometric information being compromised.

>Once the employer comes to the conclusion that the collection of biometrics data is necessary and within the meaning of the law, they must also ensure that the chosen system minimizes the invasion of privacy, provides appropriate safeguards, and complies with other legal obligations.

As stated in the CAI guidelines, carrying out a privacy impact assessment will allow employers to think about and document the above criteria in a rigorous manner.