What Exactly Are We Talking About? 

Biometric attendance systems collect physiological data like fingerprints, iris scans, and facial recognition data to track when employees arrive and leave. Many of these systems also collect additional information like timestamps and geo-location data. On the surface, this sounds like a reasonable administrative tool. The problem is that biometric data is not like your employee ID number or your email address. It is deeply personal, it is permanent, and it belongs to your body. 

When this kind of data is mishandled, the damage is not just financial. It can enable identity theft, real-time tracking, and even hyper-personalised surveillance where your physical presence in a space is used to profile your habits, preferences, and behaviour. If biometric data is leaked or sold to third parties, it can be used for purposes as invasive as identifying individuals the moment they enter a store and tailoring their entire experience based on their past behaviour and emotional state. The risks, in other words, go far beyond a data breach notification email. 

The Legal Landscape in India 

India does not have one single law that directly governs biometric data at the workplace. Instead, there are several overlapping frameworks that together create a patchwork of protections. Some are strong, some vague, and some with significant gaps. 

The Digital Personal Data Protection Act, 2023 (DPDP Act) requires organisations to collect only the data they need, use it only for the purpose it was collected for, and delete it once that purpose is over. Employees have the right to access their biometric data, request corrections, and ask for it to be erased. If an employer refuses or fails to comply, the employee can file a complaint with the Data Protection Board of India. It’s important to note that the DPDP Act does not specify a fixed retention period, but some guidance/industry best practices on compliance suggests that biometric data should be deleted within sixty to ninety days after employment ends, once payroll and audit requirements are satisfied. 

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, passed under the IT Act, classify biometric data as Sensitive Personal Data. This means employers must obtain explicit consent before collecting it, must inform employees of what the data will be used for, how it will be stored, and what security measures are in place. Employers are also required to implement strong technical protections like encryption and access controls. 

The Aadhaar Act, 2016 is particularly relevant in government contexts. It explicitly treats biometric data as sensitive personal data under Section 30, and limits Aadhaar-based biometric authentication to government subsidies and services. Private employers are not permitted to require Aadhaar biometrics for attendance or payroll purposes. Employees must give free and informed consent, and they retain the right to withdraw that consent at any time, with employers obliged to provide reasonable alternatives like ID badges.

The Government Sector: A Closer Look at AEBAS 

The Aadhaar Enabled Biometric Attendance System, or AEBAS, is used in central government offices in India. Its policy manual states that user organisations must comply with the Aadhaar Act, the IT Act, and the Data Protection Act, which sounds reassuring in principle. However, the same policy also allows attendance data to be used for government data analytics "as and when required." This is a sweeping exception that opens the door to uses of biometric data that go well beyond simple attendance tracking. 

A circular dated August 7, 2025, issued by the Indian Audit and Accounts Department under the Office of the Principal Accountant General (Audit), Punjab, directed all employees to mandatorily mark their attendance through AEBAS. It warned that non-compliance could attract disciplinary action. This directive shows that employees in government offices actually have no meaningful choice but to comply. The concept of "voluntary consent" becomes hollow when refusal means disciplinary proceedings. 

Private Workplaces: The Consent Myth 

In private workplaces, the situation is arguably worse. Employers often position biometric data collection as part of the employment agreement itself, treating a fingerprint scan as no different from submitting your bank details or a photograph during onboarding. But this comparison does not hold up. Bank details can be changed. A fingerprint cannot. 

The power imbalance between employers and employees makes the idea of genuine consent deeply problematic. When an employee is told to register their biometrics for their employment, their agreement is not truly voluntary. It is compelled. Courts and regulators internationally have begun to recognise this, but Indian law has not yet explicitly addressed the issue of coerced biometric consent in private workplaces. 

There is also the issue of function creep, where data collected for one purpose gradually begins to be used for others. Biometric attendance systems often capture metadata like geo-location and timestamps. Without strong legal safeguards, this data can be used to build detailed profiles of employees' movements and behaviour, turning an attendance tool into a surveillance system. 

Schools and Minors: A Serious Regulatory Gap 

Perhaps the most concerning application of biometric attendance systems is in schools. Many schools in India have implemented fingerprint and facial recognition systems for students, often with minimal attention to the distinct legal and ethical issues that arise when the subjects are children. 

Children have a unique legal status. They cannot give meaningful informed consent on their own behalf, and their biometric data carries risks that extend across their entire lifetime. A data breach affecting a child's fingerprint or facial scan today could have consequences decades from now. 

Despite this, there is a lack of school-specific biometric guidance in Indian law. There is no dedicated law governing how schools should collect, store, and delete student biometric data. Common problems include vague or non-existent parental consent forms, absence of data security protocols, and ad hoc sharing of student data with third-party vendors without proper confidentiality agreements. 

A real-world example illustrates both the problem and the path forward. Bhartiyam Public School in Jaipur implemented a biometric attendance system to reduce administrative workload, but quickly found itself facing concerns from parents about data privacy and potential misuse. Before proper legal guidance was sought, the school's consent forms were vague, data security was minimal, and staff had not been trained on data protection obligations. After a thorough compliance audit, the school revised its consent forms to obtain explicit parental consent, implemented security protocols, and trained teachers on their responsibilities. The outcome was a system that parents and staff could trust. The lesson is clear: in the case of minors, the stakes are too high to cut corners. 

Recent Cases Worth Noting 

Indian courts have begun weighing in on biometric data, though the jurisprudence is still developing. In January 2026, the Patna High Court upheld Aadhaar-based facial recognition and GPS attendance in medical colleges, ruling that it did not violate the right to privacy in that specific context, framing it as a matter of good governance. 

However, a more nuanced ruling came in Vinod Kumar Meena v. LIC in 2025, where the Madhya Pradesh High Court acknowledged the limitations of biometric verification, noting that it is not always reliable and that failures can occur for reasons entirely beyond an individual's control. The Court held that identity verification should be supplemented by alternative documents and that sole reliance on biometric systems can be unjust. 

The Supreme Court, in an earlier hearing on Aadhaar-related petitions, flagged something important: if biometric authentication is attached to every transaction, it creates a detailed aggregation of citizen metadata that can be collated and used for surveillance. The Court specifically warned the UIDAI about this risk, and the concern remains just as relevant today in workplace contexts. 

What the World Is Doing Differently 

India is not alone in dealing with these questions, and looking at international practices could offer some useful perspective. 

The European Union's General Data Protection Regulation (GDPR) treats facial recognition and biometric data as a special category of sensitive data under Article 9, attracting the highest level of protection. Employers cannot rely on employee consent alone due to the power imbalance inherent in the employment relationship. They must show that collecting biometric data is strictly necessary and proportionate, supported by a Data Protection Impact Assessment. Individuals have strong rights to access, deletion, and objection, and violations attract significant fines. 

The United States state of Illinois has enacted the Biometric Information Privacy Act (BIPA), possibly one of the strongest biometric privacy laws in the world. BIPA requires written notice of what data is being collected and why, explicit written consent before collection, a publicly available retention and deletion policy, and a strict prohibition on selling or profiting from biometric data. Most powerfully, BIPA gives individuals a private right of action meaning that employees can sue employers directly for violations, with statutory damages available even without proving actual harm. 

In 2019 a case from Australia, Lee v Superior Wood, saw the Fair Work Commission rule that an employee was unfairly dismissed after refusing to provide fingerprint data for a new attendance system. The Commission found that the employer had not complied with privacy laws governing the collection of sensitive information, establishing an important precedent: employees can refuse biometric data collection on privacy grounds, and employers cannot punish them for it. 

All these laws share a common thread: biometric data demands exceptional care, consent must be meaningful, and individuals must have real remedies when things go wrong. 

What Needs to Change: Recommendations 

Based on the issues and gaps identified, several measures are needed to bring biometric attendance systems into genuine compliance and to protect the rights of employees and students. 

First, India needs explicit legislation that places biometric data outside the scope of routine "legitimate business use." Collecting a fingerprint or a facial scan should require a higher threshold of justification than collecting a phone number. 

Second, consent must be made meaningful. Employers should be legally required to provide alternative, non-biometric methods of attendance verification. An employee who declines to provide biometric data should not face professional consequences. The Australian precedent in Lee v Superior Wood offers a useful model. 

Third, privacy-by-design must become mandatory. Organisations using biometric systems should be required to collect only encrypted templates instead of raw images or scans and the data to be used strictly for the stated purpose. Systems should include automated deletion once the purpose ends, strong encryption (such as AES-256 standards), role-based access controls, and tamper-proof audit logs. 

Fourth, schools must be specifically regulated. A dedicated framework for biometric data in educational institutions is urgently needed, covering explicit parental consent, data security obligations, restrictions on vendor sharing, and mandatory deletion schedules. A good example would be the Digi Yatra policy under which facial biometrics are deleted from airport databases within twenty-four hours of a passenger's flight, this is something the schools could adapt. Converting the attendance data into a physical copy for storage purposes would be a better alternative than retaining the soft data. 

Fifth, employees and parents need real remedies. Following the BIPA model, individuals should have the right to file complaints and seek compensation without having to prove specific financial harm. The Data Protection Board of India must be adequately resourced and empowered to act on complaints swiftly. 

Finally, organisations must conduct Data Protection Impact Assessments before deploying biometric systems, appoint Data Protection Officers where required, and ensure that contracts with third-party vendors include strong confidentiality and breach notification obligations. 

Conclusion 

Biometric attendance systems are not inherently wrong. Used carefully and governed properly, they can serve legitimate administrative purposes. But right now, in most Indian workplaces and schools, the governance is simply not keeping pace with the technology. Therefore, measuring the pros against the cons, it would not be wrong to say that such sensitive data should not be put at stake just for the sake of efficiency.  Your fingerprint is not a password. It is a part of you. And the law needs to treat it that way.