Information watchdog issues guidance on compliant use of biometric data after hitting Serco companies with enforcement notices

February 23, 2024

The Information Commissioner’s Office (ICO) has published guidance on compliance with data protection law for all organisations that are considering using people’s biometric data.

Publication of the guidance comes as the ICO revealed it had issued enforcement notices against Serco Leisure, Serco Jersey and seven associated community leisure trusts to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance.

The watchdog said an investigation had found that Serco Leisure and the trusts had been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time.

“They failed to show why it is necessary or proportionate to use FRT and fingerprint scanning for this purpose, when there are less intrusive means available such as ID cards or fobs,” the ICO said.

It added that employees had not been proactively offered an alternative to having their faces and fingers scanned to clock in and out of their place of work, and it had been presented as a requirement in order to get paid.

The ICO warned of an “imbalance of power” between Serco Leisure and its employees, suggesting that it was unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks.

The enforcement notices require the Serco organisations to stop all processing of biometric data for monitoring employees’ attendance at work, as well as to destroy all biometric data that they are not legally obliged to retain.

This must be done within three months of the enforcement notices being issued, the ICO said.

John Edwards, UK Information Commissioner, said: "Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater - you can't reset someone's face or fingerprint like you can reset a password.

“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.

“This is neither fair nor proportionate under data protection law, and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully.”

Edwards added: “This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.

“Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”

A Serco Leisure spokesperson said: “We value the hard work of all our team members delivering services for our customers.

“This technology was introduced at the leisure centres we manage nearly five years ago to make clocking-in and out easier and simpler for colleagues. We engaged with our team members in advance of its roll-out and its introduction was well-received by colleagues. The introduction also followed external legal advice which said use of the technology was permitted.

“Despite being aware of Serco Leisure's use of this technology for some years, the ICO have only this week issued an enforcement notice and requested that we take action. We now understand this coincides with the publication of new guidance for organisations on processing of biometric data which we anticipate will provide greater clarity in this area.

“We take this matter seriously and confirm we will fully comply with the enforcement notice”

Last year, the ICO also published guidance on monitoring employees.

Information watchdog issues guidance on compliant use of biometric data after hitting Serco companies with enforcement notices

Judge remits FOI case after finding First-Tier Tribunal was wrong to strike out proceedings, amid doubts over reliability of previous evidence from council

Information watchdog publishes guidance on transparency in health and social care

Council loses appeal over FOI request for names of those who submitted consultation responses as part of their public-facing roles

Information watchdog seeks views on accuracy of generative AI models in third call for evidence

A guide to UK data protection law with relevant provisions of the Data Protection Act 2018

Cornerstone on Social Housing Fraud

A Practical Guide to GDPR for Schools

Making Decisions Judicially - A Guide for Decision-Makers

Cornerstone on Information Law

Information Rights

Essential Law for Cemetery and Crematorium Managers

Director of Law and Governance