ICO’s Serco enforcement for biometric data use – what employers need to know

The Information Commissioner’s Office (ICO) has announced that Serco Leisure and associated organisations have been issued with enforcement notices ordering them to stop using facial recognition technology and fingerprint scanning to monitor employee attendance.  Serco, as controller, had failed to establish a lawful basis for processing under the UK General Data Protection Regulation (GDPR) and a separate condition for processing special category biometric data and had failed to process data both lawfully and fairly.  

The employer had introduced biometric technology in order to monitor attendance, having found that manual sign-in sheets and radio-frequency ID cards were prone to error and had been used inappropriately.  Because biometric data constitutes special category data when it is used to uniquely identify individuals (as it was in this case), under the UK GDPR the processing must be necessary, justified and proportionate and an extra condition under Article 9 of the UK GDPR must be satisfied.  

The employer had produced a data protection impact assessment (DPIA) and a legitimate interests assessment, purporting to rely on the UK GDPR’s Article 6(1)(b) (contractual necessity) and Article 6(1)(f) (legitimate interests) processing grounds.  It stated that the processing was necessary to ensure employees were paid correctly for the time they had worked.  For the extra condition for special category biometric data, they sought to rely on Article 9(2)(b) (“employment, social security and social protection”), on the basis that they needed to comply with regulations on working time, national living wage, right to work and tax and accounting.  The ICO rejected this analysis, finding that although recording attendance times might be necessary to fulfil obligations under employment contracts, the processing of biometric data was not necessary to achieve that purpose - less intrusive means could be used to verify attendance.  The employer had failed to demonstrate why less intrusive methods were not appropriate, or to provide evidence of widespread abuse of alternative measures and why disciplinary action to curb that abuse had not been considered.  

The employer had failed to give appropriate weight to the intrusive nature of the monitoring and the risks to employees.  Employees were not given clear information about how they could object to the processing, or about any alternative methods of monitoring attendance. On the contrary, the Standard Operating Procedure said that the use of the biometric technology was a requirement and that employees could be subject to disciplinary action if they refused to use it.  The enforcement notice also points out that, given the imbalance of power between the employer and its employees, even if employees had been informed that they could object to the processing, the ICO considered that they might not have felt able to do so. 

In addition, the employer had failed to identify (including in its DPIA), at the time it began processing, the specific legal obligation or right on which it was relying. It had also failed to produce an appropriate policy document, required by the Data Protection Act 2018 where there is reliance on an Article 9 condition. 

The ICO has also recently published new guidance on biometric data, explaining (for all organisations, including employers) how data protection law applies to the use of biometric data in biometric recognition systems.  Our colleagues in the Data Privacy team have posted a blog about this new guidance.

Analysis/commentary:  The enforcement notice demonstrates ICO’s ongoing focus on this area, not just on the use of biometric data but on employee monitoring generally, and its willingness to take action.  In particular, the action emphasises that the ICO sets a high bar for intrusive processing being deemed “necessary”.  Last year the ICO issued guidance on monitoring workers; we covered this in our October 2023 Bulletin.  The accompanying Press Release commented on the widespread view that monitoring in the workplace is intrusive. The guidance makes clear that the principles of fairness, transparency and accountability require employers to have policies and procedures in place and brought to the attention of employees on a regular basis and that monitoring is unlikely to be necessary or proportionate if there is a less intrusive method available.  Employers should be aware that the use of biometric data is also coming under increasing focus from European data protection authorities; for example, the Spanish authority recently issued guidance that effectively prohibits employers’ use of biometrics for logging workers.