UK Regulator Takes Strong Action Against Use of Biometric Recognition Technology

The Information Commissioner’s Office (ICO) has recently issued Enforcement Notices to Serco Leisure Operating Limited, Serco Jersey Limited, and seven associated community leisure trusts, ordering them to cease using facial recognition technology and fingerprint scanning for employee attendance. This move comes as the ICO continues to crack down on the use of biometric recognition technology.

The ICO’s investigation into Serco and the trusts found them in breach of UK GDPR, as they failed to establish a lawful basis and special category personal data processing condition for the biometric data they were processing. The use of biometric technology, such as facial recognition and fingerprint scanning, has been increasing in various industries, and it is vital for organisations to ensure they are compliant with data protection legislation.

Serco had been using biometric technology since May 2017, processing the data of more than 2,000 employees at 38 leisure facilities. Although they claimed that previous attendance systems were prone to human error and abuse, the ICO found their use of biometric data to be unnecessary and disproportionate.

The ICO’s new guidance on the use of biometric recognition systems provides detailed information on how data protection law applies to such systems. It covers topics such as processing biometric data lawfully and fairly, ensuring accuracy, transparency, and security of the data, and dealing with data subject rights requests. The guidance emphasizes the importance of obtaining explicit consent when processing biometric data and highlights that alternative options should be provided for those who decline consent or object to the processing.

The enforcement action taken by the ICO serves as a warning to the industry that the use of biometric technologies must be carefully assessed. Organisations must consider the necessity of processing biometric data and ensure that less intrusive means are not suitable before resorting to biometric technology. Furthermore, robust data protection impact assessments and appropriate policy documents must be in place when processing biometric data, particularly in an employment context.

The ICO’s intervention in this case demonstrates the regulator’s commitment to holding organisations accountable for their use of biometric data and demanding evidence of proportionality and necessity. This sends a clear message to all organisations using or considering biometric recognition technology to ensure compliance with data protection legislation and guidelines.