The UK public service provider Serco Leisure, Serco Jersey and seven associated community leisure trusts have been ordered to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance.
In an investigation, the Information Commissioner’s Office (ICO) found that the Serco Leisure and the trusts had unlawfully processed biometric data of more than 2,000 employees at 38 leisure facilities to check their attendance and to calculate subsequent payment for their work time.
“Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password,” said John Edwards, UK Information Commissioner. “This is neither fair nor proportionate under data protection law.”
Fingerprint scanning to monitor work hours
According to the ICO, Serco Leisure and the trusts failed to manifest the necessary or proportionate reasons to use FRT and fingerprint scanning to monitor their employees – when there are ‘less intrusive’ options such as ID cards and fobs.
The employees were also not offered an alternative to having their faces and fingers scanned to clock in and out of their working hours. It was rather presented “as a requirement in order to get paid”.
With the findings, the ICO has now issued enforcement notices to Serco Leisure and the trusts, instructing them to stop processing biometric data when monitoring the employees’ attendance. They must also destroy all biometric data that they are not legally obliged to keep. All must be done within three months.
“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there,“ Edwards added.
“Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”
John Edwards, UK Information Commissioner
Nine enforcement notices to stop the processing were sent to:
- Serco Leisure;
- Serco Jersey;
- Birmingham Community Leisure Trust Limited;
- Bolton Community Leisure Limited;
- Shropshire Community Leisure Trust Limited;
- More Leisure Community Trust Limited;
- Northern Community Leisure Trust Limited;
- Maidstone Leisure Trust Limited; and
- Swale Community Leisure.
“This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.”
Guidance on biometric data
Simultaneously, the ICO has also published a new guidance for organizations that consider using biometric data, and has outlined how to comply with data protection law.
“Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others,” Edwards said.
A guidance on monitoring employees was also published last year, which outlined organizations legal obligations as well as the employees’ rights to privacy.