Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Using facial recognition to control access to a dangerous worksite for health and safety purposes

Scenario

Busy Machinery Ltd operates a highly dangerous worksite. They are reviewing their processes to keep workers safe and making sure they comply with legal requirements around health and safety. Among other obligations, they need to ensure they have strict access controls so only appropriately trained staff access certain areas/machinery and have an ‘live’ record of who and how many staff are on site at any one time. 

Busy Machinery decides to explore using facial recognition technology (FRT) to monitor access controls and keep a log of workers on site. The FRT system would have two groups enrolled – workers allowed to access the general worksite area and workers allowed to access certain areas and machinery.

FRT would be used to detect workers entering the site and restricted areas and alerts would go off if unauthorised people or workers tried to enter the worksite or restricted areas.

The system would also count and record how many workers and who were on site so there was a live attendance log in case of an incident.

 A person in protective gear stands in a draped worksite holding a sprayer. They are looking at the camera.

Rule

Application of rule

Does the Code apply?

Yes, Busy Machinery is collecting facial images to identify people using a biometric system. 

Rule 1: Purpose for collection

Busy Machinery’s lawful purpose is to put in place a more robust process to keep workers safe and comply with legal health and safety requirements.

Busy Machinery determines that the biometric processing is necessary to achieve their purpose.

  • It’s effective: There is a clear link between the problem (needing a way to monitor and restrict who accesses the worksite and uses the machinery) and the ability of an FRT system to help solve the problem. The FRT provider Busy Machinery chose has deployed this type of solution in similarly dangerous work environments before and has data showing how it worked, how it can help in the event of a health and safety incident, as well as a reduction in unauthorised access to restricted areas. The facial recognition algorithm chosen has a high accuracy rating across demographics and could be set to an appropriate specificity and sensitivity level that balanced false negatives (disrupting workflows) and false positives (guarding against unauthorised people).
  • Alternatives: There are other ways for Busy Machinery to monitor workers on site and control access but these all had significant drawbacks. It was important for Busy Machinery to find a seamless ‘contactless’ way of monitoring each worker entering and exiting. Busy Machinery considered a physical access card option or sign on in a paper register at the site entrance, which were feasible options but were likely to be less effective as they rely on workers to remember cards or to sign in. Workers are usually wearing physical protective suits and/or carrying equipment that would make using these alternatives more difficult and less convenient. Cards can also be passed from an authorised user to an unauthorised user, creating safety and security risks. Therefore, Busy Machinery determines that it cannot reasonably achieve its purpose as effectively by an alternative means with less privacy risk.

Busy Machinery will adopt reasonable privacy safeguards, including:

  • There will be a strict policy around access to and use of data, backed up with robust access and audit controls. Information from the FRT system will only be used for health and safety and incident responses, not performance, disciplinary actions, or covertly watching employees.
  • The daily log of data collected will be deleted as soon as the site manager confirms that there was no health and safety incident.
  • Providing for human review and oversight of the system i.e. the worksite manager will review any decisions flagged by the workers as wrong.
  • The system will be regularly reviewed to ensure it is sufficiently effective and information is adequately protected.
  • Busy Machinery consults with workers about the FRT system as well as the other non-biometric options. The outcome of the consultation was that the workers were comfortable with the FRT system as long as above safeguards adopted. 

Busy Machinery assesses proportionality:

This system poses moderate privacy risk but the residual risk level is lower due to the safeguards implemented:

  • Monitoring a workspace using FRT that records live attendance onsite is generally more intrusive than the use of CCTV.
  • The context of the employment relationship and power imbalance increases the intrusiveness of the measure as employees may feel a lack of control or choice, surveilled by their employer or concerned about use for other employment purposes.
  • There is some risk of scope creep as information collected for safety purposes could be useful for other employment purposes (monitoring performance, time management, disciplinary actions), even if not part of the original reasons for using the system.
  • Everyone who enters the worksite will be scanned, including those who accidentally enter. There will not be an opt-out/alternative set up because it would undermine the integrity of the system.
  • There is a possibility of false negatives which could be disruptive or alarming for a worker who would have to then challenge the automated decision. Busy Machinery will need to provide a way for human oversight and review of any automated alerts.

Busy Machinery considers the benefit outweighs the residual privacy risk:

  • The benefit to Busy Machinery from improved management of health and safety risks and a reduction in unauthorised access justifies the privacy risk posed by the system. The importance of improved health and safety helps mean that this benefit substantially outweighs the privacy risk.

Busy Machinery considers cultural impacts on Māori:

  • Some workers are Māori and wear moko, so there is culturally sensitive/tapu information that will be captured by the FRT system (even though the FRT system will not be analysing the moko specifically).
  • The FRT system will not be optional and there will be no opt-out, which could raise tikanga issues around obtaining free, prior informed consent and giving people control over their own information.
  • Busy Machinery decides to engage with all staff about the design of the system and specifically asks for feedback on potential cultural impacts so these can be addressed.

Overall proportionality: Busy Machinery considered the safeguards would meaningfully lower the overall risk and intrusiveness of the proposal to a level that would make the measure proportionate when weighed against the benefits and cultural impacts.

Rule 2: source of biometric information

Biometric information (face image) is collected directly from the workers to enrol them in the database and a face image is captured for comparison each subsequent time they enter the worksite. Remote collection (e.g. by a FRT camera) is still considered direct collection for the purposes of rule 2.

Rule 3: collection of information from individual

Busy Machinery will comply with rule 3 by informing the workers of the purpose of collection, no alternative option etc. as part of the consultation before using the system. It will also give workers a plain language written statement at the time that they enrol in the system. Any new potential workers will be fully informed about the system before starting work.

A sign will also be installed at the entrance to the site so that anyone new to site also receives the information required by rule 3. Having a sign also reminds workers of the system operation and mitigates the need to re-notify them if they haven’t been to site in a while. 

Rule 4: manner of collection

Busy Machinery is collecting information by lawful means. It does not expect to collect any biometric information of children or young people. 

Consulting with workers and ensuring good transparency around when and how the biometric information is collected is one of the ways Busy Machinery ensures the manner of collection is lawful (e.g. compliant with obligations in employment law), fair and not unreasonably intrusive. It will also ensure cameras are not stationed at any areas where sensitive information, or information that is not necessary, would be collected – for example, no cameras in or pointing at the break room or bathrooms.

Rule 5: Storage and security of biometric information

Examples of steps Busy Machinery takes to protect the biometric information:

  • Robust access and audit controls for information collected through the FRT system.
  • Deleting daily log of data once there is confirmation of no health and safety incident.
  • Not linking information collected through the FRT system with any other personal information of workers.
  • Strong technical protections for biometric information.

Rule 6: Access to biometric information

Busy Machinery will comply with requests from workers to access their biometric information, including letting them know that they hold both a face image of the worker’s face and a biometric template created from the image. 

Rule 7: Correction of biometric information

Busy Machinery will comply with requests to correct biometric information. For example, a worker might request to add a note to the system stating that they have an identical twin.

Rule 8: Accuracy, etc, of biometric information to be checked before use or disclosure

The way in which biometric information is being collected and used by Busy Machinery is unlikely to raise issues under rule 8, provided the system as a whole is operating at a highly accurate level.

Rule 9: Retention of biometric information 

Busy Machinery will delete the daily log of data once there is confirmation of no health and safety incident.

The photos of workers and face templates will be deleted once the relevant worker no longer requires access to the site as part of the off-boarding process.

Rule 10: Limits on use of information

Busy Machinery plans to only use the biometric information for the original purpose it collected it for and no other reason (as outlined in its strict FRT policy). 

The limits on biometric categorisation in rule 10 are not applicable as Busy Machinery is carrying out biometric identification not categorisation. However, as an example, if Busy Machinery wanted to detect or infer information about workers from their faces as part of their health and safety approach (e.g. to monitor attention or distraction), Busy Machinery would need to ensure it was compliant with the biometric categorisation limits and that doing so was necessary and proportionate. 

Rule 11: Limits on disclosure of biometric information

Busy Machinery may need to disclose information about a health and safety incident to a regulatory body such as Work Safe. This would likely be permitted under the exception that allows disclosure for a directly related purpose. Busy Machinery includes this possibility in the information it gives workers under rule 3.

Busy Machinery does not intend to make any other disclosures to any other organisations (unless an exception applies).

Rule 12: Disclosure of biometric information outside New Zealand

Busy Machinery will not disclose biometric information outside New Zealand.

Rule 13: Unique identifiers

Busy Machinery will not assign a biometric template to employees as a unique identifier, so rule 13 is not engaged.
Back to top