Serco Leisure have been issued with an enforcement notice by the UK Information Commissioner’s Office (ICO) for unlawfully processing their employees’ biometric data through facial recognition technology and fingerprint scanning. What can we learn from this?

With a rise in remote working as the fallout from the COVID-19 pandemic continues, there has been a proliferation of workplace monitoring. Whether this be through email monitoring, keystroke logging or the recording of workplace calls, organisations are embracing new technologies to monitor their employees’ productivity and efficiency whilst working remotely or at their usual place of work.

However, employers must be mindful of data protection laws in doing so and consider whether they are intruding on their employees’ personal lives, ensuring their actions are both necessary and proportionate. To lawfully collect and process information about employees, a lawful basis must be identified. Additionally, if biometric data is collected, a further lawful condition must be identified as this is considered special category data. An example of non-compliance was explored in our previous article, Employee monitoring costs Amazon €32m.

The recent issuing of an enforcement notice by ICO on Serco Leisure serves as a warning to employers to ensure their monitoring purposes are both lawful and reasonable.

Serco leisure’s monitoring programme 

Serco Leisure, Serco Jersey and seven associated leisure trusts (together, ‘Serco’) have been ordered to stop using facial recognition technology (FRT) and fingerprint scanning by the ICO, who has determined that Serco have been unlawfully processing the biometric data of more than 2000 employees across 38 leisure facilities. 

Serco were using the biometric data of employees to monitor their attendance at work, and to determine their pay for time worked. The FRT system worked by registering employees onto an FRT scanner, having their photograph taken 3 times, the scanner turning the photos into a biometric map based on the employee’s facial features, and then holding this information alongside the employees’ names and staff numbers. 

Serco identified the lawful bases for processing as ‘contractual necessity’ and ‘legitimate interests’, with the relevant processing condition as ‘employment, social security and social protection’, stating they needed to process attendance data to comply with their legal obligations for working time and tax.

Whilst Serco claimed that alternatives would be considered if employees did not want to use the biometric technology, the ICO found that employees were not offered a clear alternative, nor a way to object to the processing. Moreover, the ICO considered that biometric data processing had been presented as a requirement to get paid and that objection could result in disciplinary action. Due to the imbalance of power between the employee and the employer, the ICO thought it was unlikely that employees would feel able to oppose the requirement. 

Serco also said that the processing of attendance data was necessary to ensure their employees were paid correctly. However, the ICO said that less intrusive means could have been used to verify attendance, like identification cards, key fobs, or sign-in and out sheets. Serco asserted that such methods were open to abuse but failed to provide evidence of widespread abuse. Serco also failed to demonstrate why disciplinary action against those abusing the system would not be sufficient (and did not produce an appropriate policy document explaining the steps they had taken to address such issues).

Serco failed to show why it was necessary or proportionate to collect biometric data and did not fully consider the risks, prioritising their business interests over their employees’ privacy. The ICO ordered Serco to stop using FRT and fingerprint scanning and requested that they destroy all biometric data within 3 months of the date of the enforcement notice.

New biometric data guidance 

The ICO has published timely new guidance in the wake of the enforcement action against Serco, for all organisations considering using biometric recognition systems, detailing how to process such data lawfully and fairly in light of the associated risks. Notably, the ICO has removed the Employment Practices Code from their website, which had not been updated since 1998, and is increasingly issuing separate guidance on various topics including, for example, this guidance on DSARs. It is likely that over time we will see an influx of additional guidance to assist employers, alongside new practical tools, and checklists.

The ICO’s biometric data guidance has emphasised the potential severity of biometric data breaches due to the sensitive nature of such data, which will always belong to the ‘special categories’ of data given extra protection. Biometric data is the result of specific technical processing on key features of a person’s physical identity that cannot easily be changed like facial features, eye shape and sound of voice. Biometric data used in a recognition system is a unique identifier which can link across multiple databases and result in an indefinite loss of control if not appropriately protected. Reverse engineering could possibly be used to identify the original biometric sample and infer some of a person’s characteristics. Biometric data breaches could therefore lead to identify theft and potentially result in financial harms. The processing of biometric data to uniquely identify a worker will therefore be high risk and a data protection impact assessment (DPIA) is required before any processing of this nature is started.

The ICO has also detailed how, when it comes to biometric data, it is likely that ‘explicit consent’ will be the only available justification for processing special category data. This consent must be affirmed with a clear statement, whether written or oral, and freely given, with an opportunity for the individual to refuse consent without detriment, as well as being offered a suitable alternative. 

Key takeaways

• Employers should clearly identify their lawful bases for processing biometric data. Their methods must be proportionate and necessary, meaning if there are less intrusive ways to achieve their purpose, such methods should be used.
• Employers should ensure appropriate policies and procedures are in place before embarking on any monitoring. System accuracy, possible discrimination, transparency, security and how to respond to rights requests will be important factors to consider.  
• Employers must carry out a DPIA where their processing is likely to result in a high risk to employees’ rights and freedoms. This will always be triggered where biometric recognition systems are utilised. 
• Employers should make employees aware of the nature, extent and reasons for monitoring, and offer them an alternative or the opportunity to object to the monitoring without detriment. 
• Employers should seek explicit consent from employees in a clear statement to the processing of biometric data. For best practice, this should be a written statement.
• The enforcement notice highlights how employee monitoring cannot be implemented without careful consideration, and that ICO will intervene to ensure any measures are necessary and proportionate.