At the very least, it must count as 'Personally Identifying Data' so all of the limits of the Data Protection Act would count (in the UK). Note that one of those provisions is a requirement for a reasonable reason to hold the specific data, so I can't see many employers having a legitimate reason to hold any biometric data - anything used for authentication purposes should presumably be limited to a hash?