Serco Leisure, a public service operator, and seven affiliated leisure trusts have been directed by the Information Commissioner’s Office (ICO) to cease the use of facial recognition technology (FRT) and fingerprint scanning for monitoring employee attendance. The ICO’s enforcement notices were issued after the discovery that the biometric data of over 2,000 employees at 38 leisure facilities was being unlawfully processed for attendance verification and remuneration purposes.
The investigation uncovered that Serco Leisure and the associated trusts failed to justify the necessity or proportionality of using FRT and fingerprint scanning when alternative, less intrusive methods such as ID cards or fobs are available. Additionally, the employees were not given a clear choice other than having their faces and fingerprints scanned for clocking in and out of their workplace. This requirement was presented as mandatory for payment, leaving the employees in a vulnerable position due to the power imbalance between them and Serco Leisure.
In response to these findings, the ICO has issued enforcement notices mandating the cessation of all biometric data processing for employee attendance monitoring and the destruction of all biometric data that is not legally obliged to be retained. This action is to be completed within three months.
John Edwards, the UK Information Commissioner, expressed concern over the introduction of biometric technology without fully considering the associated risks, prioritising business interests over the privacy of the employees. He emphasized the need for a clear opt-out system for staff in order to address the existing power imbalance.
This enforcement action coincides with the publication of new ICO guidance for organisations considering the use of biometric data. The guidance outlines the necessary compliance measures for organisations using biometric data to identify individuals, emphasising the need to mitigate risks such as errors in identification and bias in physical characteristic detection.
It is important to note that the enforcement notices issued by the ICO relate to 38 Serco-operated leisure facilities where biometric data is being processed, and apply to both Serco Leisure and Serco Jersey, as well as seven community leisure trusts.
The ICO’s intervention serves as a reminder to companies that the deployment of biometric technologies should not be taken lightly. Organisations are expected to be accountable and to demonstrate that the use of biometric data is proportionate and addresses the problem at hand. Additionally, the ICO has previously called on organisations to consider the legal obligations and the privacy rights of employees before implementing any form of monitoring.
In conclusion, the ICO’s enforcement action against Serco Leisure and its associated trusts is a clear indication of the regulatory stance on the use of biometric data for attendance monitoring. It highlights the importance of considering the risks associated with such technologies and emphasises the need for organisations to prioritise the rights and privacy of their employees.