ICO orders Serco to stop using facial recognition technology to monitor staff

The Information Commissioner’s Office (ICO) has recently ordered Serco Leisure to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance, following an investigation which found that Serco had been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and payment for their time.

The ICO found that Serco had failed to show why it is necessary or proportionate to use FRT and fingerprint scanning for this purpose, noting that less intrusive means were available such as ID cards or fobs, but no alternatives were offered. The employees were not given clear information about how they could object, and the ICO found that there was an imbalance of power between the employer and employees, such that employees may not have felt able to object, even if they were informed that they could.

Serco sought to rely on its legitimate interest as a lawful basis for processing the data, but it did not give enough weight to the intrusive nature and the risks to employees, so the ICO found that it could not rely legitimate interests.

The ICO commented “Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.”

The enforcement notices against Serco were issued on the same day as the ICO published new guidance on the use of biometric recognition systems. The guidance explains how data protection law applies when you use biometric data, aimed an organisations who currently use or are considering using biometric recognition systems.  The guidance notes that explicit consent is likely to be the most appropriate condition, whilst recognising that consent can be difficult to obtain in an employer-employee context as employees may feel they have no choice but to agree. The ICO comments that this does not mean that employers can never rely on consent, but they need to ensure that they are offering a genuine choice.

Speak to our Data Protection Specialists