It probably was one of those machines, thus was pretty low risk. The hashed data probably stayed on prem thus was pretty low risk. I don't know because when asked for literally any information at all beyond the three short paragraph 'privacy policy' provided (it had no information in it beyond 'we can do what we want; we are not responsible for anything' standard stuff and nothing else), including why they were refusing to allow my husband to use the other options provided on the same hardware like an RFID card or punching in a code, they refused to give any info. All of the stuff I asked to begin with were things usually covered in FAQ pages for such products, so nothing particularly sensitive and they refused. I also asked them for the model number of the hardware, clarifications about what the company's agreements with the vendor contained in relation to employee data, proper privacy policy, brief information on if they remediated their security issues after their last massive security breaches, whether they still ran on VB6, and some reasonably simple information again and they would not say anything. They expected (reasonably, it turns out) people to sign a three paragraph privacy policy without literally any of the information pertaining to the actual hardware, software, or governing contract involving their potentially extremely sensitive information. I don't care if the crappy scanners are about as high resolution as using the fingerprint features on a laptop and were salted and hashed, a workplace pushing that can actually just see me in court. It is not necessary. I don't actually care if it's one of the lower risk implementation options (for now!) because they shouldn't be allowed to demand any of this of staff in the first place in my not at all humble opinion. Even if they answered all my questions, and even if it were those lower risk implementations, he wouldn't have enrolled in it on anyway, because as they were told them from the start, privacy policies are as legally robust as pinky promises. Biometrics of any kind for bloody timesheets is mind bogglingly ridiculous.
I didn't really expect an explanation but I did ask why the business was prioritising something so expensive and seemingly unnecessary when they have three half implemented tech solutions rolled out across the country that would improve productivity massively if finished. I was being rude asking them that but I was curious, and they had continually responded to simple and clear questions and concerns about infosec with such garbage as 'but the whole company is doing it' and 'you're creating a lot more work for one of the ladies in the office because we're forcing you to use paper timesheets now instead of any of the logical options available to us. You should feel so bad at all the extra work you're making her do'. They couldn't even pretend to take the questions we asked seriously. They were the ones that kept interrogating for why he was never going to allow it; the only reason these questions were asked was because they kept pushing. It was such an insulting waste of our time. Hell no can they be trusted. Aside from management and HR being rude, threatening, and patronising (hardly unique), it's otherwise a pretty good job he enjoys.
I didn't really expect an explanation but I did ask why the business was prioritising something so expensive and seemingly unnecessary when they have three half implemented tech solutions rolled out across the country that would improve productivity massively if finished. I was being rude asking them that but I was curious, and they had continually responded to simple and clear questions and concerns about infosec with such garbage as 'but the whole company is doing it' and 'you're creating a lot more work for one of the ladies in the office because we're forcing you to use paper timesheets now instead of any of the logical options available to us. You should feel so bad at all the extra work you're making her do'. They couldn't even pretend to take the questions we asked seriously. They were the ones that kept interrogating for why he was never going to allow it; the only reason these questions were asked was because they kept pushing. It was such an insulting waste of our time. Hell no can they be trusted. Aside from management and HR being rude, threatening, and patronising (hardly unique), it's otherwise a pretty good job he enjoys.