Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Serco Leisure banned from using facial recognition technology to monitor employees

A woman swims in a pool.
Photo: Leon Neal/Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window) Click to share on Twitter (Opens in new window) Click to share on LinkedIn (Opens in new window) Click to share on WhatsApp (Opens in new window)

Biometric data of more than 2,000 employees at 38 leisure facilities had been unlawfully processed.

The UK public service provider Serco Leisure, Serco Jersey and seven associated community leisure trusts have been ordered to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance. 

In an investigation, the Information Commissioner’s Office (ICO) found that the Serco Leisure and the trusts had unlawfully processed biometric data of more than 2,000 employees at 38 leisure facilities to check their attendance and to calculate subsequent payment for their work time. 

“Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password,” said John Edwards, UK Information Commissioner. “This is neither fair nor proportionate under data protection law.”

Fingerprint scanning to monitor work hours

According to the ICO, Serco Leisure and the trusts failed to manifest the necessary or proportionate reasons to use FRT and fingerprint scanning to monitor their employees – when there are ‘less intrusive’ options such as ID cards and fobs.

The employees were also not offered an alternative to having their faces and fingers scanned to clock in and out of their working hours. It was rather presented “as a requirement in order to get paid”.

With the findings, the ICO has now issued enforcement notices to Serco Leisure and the trusts, instructing them to stop processing biometric data when monitoring the employees’ attendance. They must also destroy all biometric data that they are not legally obliged to keep. All must be done within three months.

“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there,“ Edwards added. 

“Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”

John Edwards, UK Information Commissioner

Nine enforcement notices to stop the processing were sent to:

  • Serco Leisure;
  • Serco Jersey;
  • Birmingham Community Leisure Trust Limited;
  • Bolton Community Leisure Limited;
  • Shropshire Community Leisure Trust Limited;
  • More Leisure Community Trust Limited;
  • Northern Community Leisure Trust Limited;
  • Maidstone Leisure Trust Limited; and
  • Swale Community Leisure.

“This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.”

Guidance on biometric data

Simultaneously, the ICO has also published a new guidance for organizations that consider using biometric data, and has outlined how to comply with data protection law. 

“Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others,” Edwards said.

A guidance on monitoring employees was also published last year, which outlined organizations legal obligations as well as the employees’ rights to privacy.

, , , , , ,

You may also like