The diffusion of new technologies in productive organizations has raised the problem of the legitimacy of the use of equipment capable of being used for purposes of remote control of workers and capable of memorizing and combining a large quantity of information on their lives and their work habits.
As is known, one of the delegated decrees of the Jobs Act intervened on this matter, rewriting art. 4 of the Workers' Statute on the regulation of remote controls of workers in order not to penalize the use of new technological tools and, at the same time, be able to offer renewed protection to privacy and personal dignity, providing for a necessary coordination with the Privacy Code.
In particular the new art. 4 of the Workers' Statute:
- eliminates the general prohibition of remote control of workers. Moreover, the checks are allowed only for the purposes predetermined by the law: which leads to the exclusion of the legitimacy of the use of equipment whose purpose is to allow remote checks on the workers.
- while simplifying the previous concertation-authorisation procedure, maintains the possibility of installing such equipment only for defensive remote controls, i.e. for proven organizational and production needs, occupational safety and protection of company assets.
- excludes from the concertation-authorization procedure, as well as from the predetermined purposes, the use of the tools necessary to perform the work performance (so-called work tools such as tablets and smartphones) when the possibility of control is strictly inherent to them, as well as the installation of tools for access and attendance registration (badge).
- allows the data collected through unintentional checks and those on work tools and attendance records to be used for all purposes connected with the employment relationship, provided that the worker is given adequate information on the methods of use of the tools and execution of the controls, in compliance with the provisions of the Privacy Code.
The possibility of using the data provided by technological tools (for work and not) for all purposes related to the employment relationship is therefore subordinated, within the ambit of art. 4 of the Workers' Statute, to inform the worker about the methods of use of the tools and to carry out checks and to respect the privacy code (legislative decree 196/2003).
In this context, particular attention must be paid to the use of biometric data, i.e. data concerning biological characteristics (such as fingerprints, the vein structure of the hand or fingers, the vascular structure of the retina, the shape of the iris ) or behavioral (such as the dynamics of signing, the type of gait, the timbre of the voice) of a person and allow their unique identification.
This is sensitive information which denotes a close relationship between the body and the identity of a subject and which therefore needed a specific provision from the Privacy Guarantor (November 12, 2014) with the adoption of Guidelines on the processing of biometric data .
From the provision of the Guarantor it is clear that the generalized and indiscriminate use of biometric data cannot be considered lawful, even if functional to summary security needs or for administrative purposes. The installation of technological detection equipment, for example of the image of the iris or the retina, is only permitted to guard access to "sensitive areas", in consideration of the nature of the activities carried out (such as dangerous production processes or areas subject to secret industrial) or heritage protection (such as rooms for the custody of confidential documents or valuables) or to allow the use of dangerous equipment and machinery only to qualified persons; the fingerprint or voice emission can be used for computer authentication (access to databases or company PCs), the graphometric signature for signing computer documents.
In cases where it is permitted, the processing of biometric data still requires enhanced privacy protection, for which the principle of necessity must first of all apply: information systems and computer programs must therefore be configured by minimizing the use of personal data and identification data.
Before proceeding with the use of a biometric system, therefore, it is necessary to evaluate whether the same purposes can be pursued through anonymous data or through the biometric system but in such a way as to allow the identification of the worker only in case of need.
With regard to the use of a biometric system for the control of work activity pursuant to art. 4 of the Workers' Statute, it will be necessary to distinguish the biometric systems functional to rendering work or allowing access to particular areas of the company, subject to the regulation of the concertation-authorization procedure, from those merely accessories of the instrumentation necessary to perform the work.
In both cases, the companies will in any case be required to comply with the privacy guarantees, as well as inform the workers in advance about the characteristics of the device and the relative methods of use, as well as the performance of the checks and the possibility of using the information acquired for disciplinary measures if a violation of the obligations deriving from the employment contract is identified.
