The UK Information Commissioner’s Office (ICO) has ordered Serco Leisure to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance.
Not Necessary or Proportionate
An ICO investigation found that public service provider Serco Leisure, Serco Jersey and seven associated community leisure trusts had been “unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time.“
The ICO said that Serco Leisure had failed to show why it was necessary or proportionate to use FRT and fingerprint scanning for this purpose.
Alternative
Also, the ICO made the point that Serco Leisure could have used less intrusive alternatives to achieve the same thing, such as ID cards or fobs. However, it was found that Serco Leisure had not proactively offered an alternative to employees having their faces and fingers scanned to clock in and out of their place of work, and this had been “presented as a requirement” in order for them to get paid
Imbalance of Power … And Unlawful
The ICO’s investigation concluded that the compulsory biometric scanning system linked to attendance and pay used by Serco Leisure had left employees no way to opt-out and feeling unable to decline the collection and usage of their biometric data.
Crucially, the ICO found that this was “neither fair nor proportionate under data protection law.”
Enforcement Notices
The ICO has, therefore, issued Serco Leisure and its trusts with enforcement notices instructing them to stop all processing of biometric data for monitoring employees’ attendance at work, and to destroy all biometric data that they are not legally obliged to retain. The ICO says that “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”
Serco Leisure and the trusts have been given three months to comply.
New Guidance About The Use Of Biometric Data
In their reporting of the case, the ICO referred to the fact that it has just published new guidance about how to comply with the law for organisations considering using people’s biometric data. The guidance can be found on the ICO’s website here.
What Does This Mean For Your Business?
In the case of Serco Leisure as reported by the ICO, it seems the salient facts were that the biometric system was disproportionate and intrusive, while no alternatives were offered (there was no way to opt-out). Also, a person’s biometric data (e.g. images of their face and their fingerprints) are legally regarded as their personal data and, as the ICO points out, the theft of biometric data in a breach would be far more damaging than the theft of passwords, which can be reset.
The takeaway here for businesses is that although the use of biometric data may serve a business in terms of accuracy, there must be a balance, plus there’s employee morale and trust to consider as well as the law. Close attention must be paid to all aspects of data protection law anyway but for businesses and organisations thinking about introducing a biometric system, a good starting point would be to study and take note of the new “Biometric data guidance: Biometric recognition” guidelines on the ICO’s website.