Serco Leisure has been ordered to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance by the UK Data Protection Authority.
The Information Commissioner’s Office (ICO) said the company illegally processed the biometric data of more than 2,000 employees at 38 sports and leisure facilities, under the UK’s data protection law.
Serco failed to demonstrate why it was necessary or proportionate to use FRT and fingerprint scanning, with the ICO stating that there are less intrusive means of checking attendance, such as attendance cards. identity or key fobs.
The company presented finger and face scanning as a condition of getting paid, with employees not being offered an alternative method of clocking in and out of their workplace.
“Due to the power imbalance between Serco Leisure and its employees, it is unlikely that they will feel able to say no to the collection and use of their biometric data for attendance control,” said l ‘ICO.
THE order also requires Serco Leisure and associated trusts to destroy any biometric data they are not legally required to retain within three months of the issuance of the demand letters.
UK Information Commissioner John Edwards said Serco’s use of FRT and fingerprint scanning was neither fair nor proportionate under data protection law.
“This action serves as a warning to the industry that biometric technologies cannot be deployed lightly. We will step in and demand accountability and proof that it is proportionate to the problem the organizations seek to solve,” Edwards warned.
Employers warned to carefully consider legal aspects of biometric technology
The ICO has issued new guidelines for employers on personnel surveillance, urging them to consider their legal obligations and their employees’ privacy rights before implementing such measures.
Edwards added that organizations should be particularly careful when considering the use of biometric data, due to potential risks such as errors in accurately identifying people and bias if a system detects certain physical characteristics better than others. ‘others.
In response to the ICO announcement, a spokesperson for Serco Leisure confirmed that the company would fully comply with the enforcement notice.
The spokesperson said the technology was rolled out five years ago to make clocking in and out easier and simpler for staff, and its introduction had been “well received”.
The company added that it had also received external legal advice indicating that use of the technology was permissible.
“Despite being aware of Serco Leisure’s use of this technology for some years, the ICO only this week published an enforcement notice and asked us to take action.
“We now understand that this coincides with the publication of new guidance for organizations on the processing of biometric data which we hope will provide greater clarity in this area,” acknowledged Serco.
A ICO survey published by October 2023, a fifth of UK adults believe they have been monitored by an employer, with 40% saying they have been subject to clocking and access monitoring.
Bryony Long, partner and co-head of the data, privacy and cybersecurity group at law firm Lewis Silkin, said the ICO’s decision is not a surprise given the issue of the obligation to obtain employee consent regarding the use of biometrics.
Long commented: “Viable alternatives to the use of biometrics must be offered to ensure that consent is freely given. In this context, the ICO’s findings are not surprising and should not come as a shock. »
She added that the ICO’s decision not to fine Serco demonstrates that the regulator is keeping its promise to review and use the full range of powers in its enforcement toolbox.