Biometric technology used to track employee attendance has also given rise to a host of data privacy concerns. Regardless of the benefits, the collection of biometric data makes the individual vulnerable to threats – misuse, theft, data leakage and an erosion of human dignity. Unlike passwords, which can be reset, biometric features cannot be replaced when stolen.

Biometric data can be used to identify the people from whom it was collected. The data can be stored on a person’s device, but is also recorded in a central database. Should such data be freely collected, and how can people be assured that it will not be misused?

It is no surprise that the collection and use of biometric data has led to heightened public and regulatory concern about the risk to privacy. Most countries, however, have no specific provisions in data privacy laws that solely address the collection and use of biometric data. In some jurisdictions, additional protections and restrictions regarding the collection and use of “sensitive data” exist.

READ MORE: New Hong Kong privacy chief vows to balance flow of information

The city has witnessed the increased adoption and use of biometric technology by the private sector, and a few instances of misuse have led to investigations by the privacy watchdog. In May 2014, for example, it came to light that an investment company had required all female staff to provide blood samples for DNA testing in a misguided attempt to investigate toilet hygiene complaints. This July, a fashion trading company was reprimanded for the collection of employees’ fingerprint data. In both cases, the collection of data was found to have been excessive, as the sensitive nature of the data was disproportionate to the purpose of collection, and less intrusive measures for collection were available.

In an employer-employee context, even if the collection of biometric data may be justified and proportionate, alternative options should still be provided (e.g. password access instead of a fingerprint scan). Otherwise, consent cannot really be said to be voluntary or “fair” for the purposes of the law.

READ MORE: Data privacy is the new frontier

Hong Kong is one of the first Asian jurisdictions where a regulator has issued specific guidelines on the collection and use of biometric data. Even though the “Guidance Note”, issued in July by the Office of the Privacy Commissioner for Personal Data is not legally binding, and a breach of its provisions will not constitute an offence, the regulator will probably take into account any data users’ non-compliance when determining whether a breach of the law has occurred.

Advancements in biometric technology have rendered everyday transactions more convenient and efficient. As more “bits” of us are being captured, compressed and used to enable daily transactions, what safeguards do we need to have in place, and how will they differ from one place to another?

For now it seems that more blood, sweat and tears will be needed to achieve the elusive balance between greater efficiency and security through the use of biometric data, versus safeguarding privacy, human dignity and, ironically, the security of such data.

Gabriela Kennedy is a partner at Mayer Brown JSM, where Karen H. F. Lee is a senior associate