ICO tells Serco Leisure to stop ‘unlawfully’ using facial recognition and fingerprint data to monitor staff
The Information Commissioner’s Office (ICO) has ordered public service provider Serco Leisure and its trusts to stop using facial recognition technology and fingerprint scanning to monitor employee attendance.
Following an investigation, the ICO said Serco Leisure was “unlawfully” processing the biometric data of more than 2,000 employees at 38 leisure facilities.
The regulator said the business was using the data to monitor the attendance of its staff for subsequent payment for their time.
The ICO said the employees were not offered an alternative to having their faces and fingers scanned to clock in and out of their place of work as it was presented as a requirement in order to get paid.
The regulator said that due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks.
Serco Leisure, Serco Jersey and seven associated community leisure trusts failed to show why it is necessary or proportionate to use people’s biometric data, when there are less intrusive means available such as ID cards or fobs.
The business has now been issued with an enforcement notice by the ICO to stop all processing of biometric data of its employees. They were also informed to destroy all biometric data that they are not legally obliged to retain.
The business and trusts must do this within three months of the enforcement notices being issued.
This enforcement action comes as the ICO published new guidance for all organisations that are considering using people’s biometric data.
Commenting on the decision, John Edwards, UK Information Commissioner said: “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”
“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.”
“This is neither fair nor proportionate under data protection law, and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully,” he added.