ICO Bans Biometric Data Monitoring

The Information Commissioner’s Office (ICO) has ordered the public service provider Serco Leisure to stop using biometric data to track employees’ attendance. This enforcement notice is part of the ICO’s broader action to ban leisure centres from using biometric data to monitor employees.

Serco Leisure, Serco Jersey and seven associated community trusts were found to have unlawfully used facial recognition technology (FRT) and fingerprint scanning to monitor more than 2,000 employees across 38 leisure facilities.

The ICO issued enforcement notices last week, instructing Serco Leisure and its trusts to stop processing employees’ biometric data and to destroy its remaining data within three months. This action follows the publication of new biometric data guidance for employers.

Legal Requirements Under UK GDPR

The guidance explains what biometric data is and how employers can ensure compliance with UK GDPR. Alexandra Mizzi, legal director at Howard Kennedy, emphasised the stringent legal requirements:

“Any organisation wishing to process such data needs to have a lawful basis for doing so and a valid condition under the Data Protection Act. In this case, Serco attempted to rely on explicit consent, but there must be a real choice for the employee, with a genuine and suitable alternative and the ability to refuse or withdraw consent at any time.”

Mizzi highlighted that these conditions are often challenging in employment settings due to the inherent power imbalance between employers and employees.

Discrimination Risks of Facial Recognition Technology

Mizzi noted that facial recognition technology poses a discrimination risk, as it is more likely to misidentify non-white individuals. Employers should carefully consider these risks when implementing monitoring systems.

Employee Trust and Alternative Monitoring Methods

Kate Palmer, employment services director at Peninsula, warned that using biometric data not only risks non-compliance but could also undermine employee trust:

“Biometric data is closely tied to an individual, so the risk of harm increases if there are inaccuracies or a security breach. There is also an implied duty of trust and confidence owed to each employee. If monitoring breaches this duty, an employee could resign and bring a constructive unfair dismissal claim.”

Palmer recommended adopting the least invasive methods, such as clocking in and out systems or reviewing data from barrier gates where staff swipe their ID card.

“If the decision is made to progress with employee monitoring, employees should receive detailed information, including when their information will be collected, why, how it will be used, and to whom it will be disclosed.”

Serco’s Response

A spokesperson for Serco stated: “Despite being aware of Serco Leisure’s use of this technology for some years, the ICO only last week issued an enforcement notice and requested that we take action. We understand this coincides with the publication of new guidance for organisations on processing biometric data, which we anticipate will provide greater clarity. We take this matter seriously and confirm we will fully comply with the enforcement notice.”