The Information Commissioner’s Office (ICO) has ordered Serco Leisure to stop using facial recognition and fingerprint scanning technology to monitor employee attendance amid data concerns.
According to People Management the ICO, the UK’s independent body set up to uphold information rights reported that Serco Leisure ‘failed to show’ why using tech was ‘necessary or proportionate’ as legal experts advocate proper assessments before similar solutions are introduced.
The investigation revealed that the company had been ‘unlawfully’ processing the biometric data of more than 2,000 employees across 38 leisure facilities to monitor attendance, which was a requirement for workers to get paid.
Employees were allegedly not offered an alternative to the biometric scanning, which the ICO said created an “imbalance of power” between Serco and employees, adding employees were “unlikely to feel they would feel able to say no” to using the tech. The ICO said Serco failed to show why the technology was “necessary or proportionate” when “there are less intrusive means available such as ID cards or fobs”.
Despite being aware of Serco Leisure’s use of this technology for some years, the ICO has only recently issued an enforcement notice and requested that action be taken. This coincides with the publication of new guidance for organisations on the processing of biometric data.
The company had been ‘unlawfully’ processing the biometric data of more than 2,000 employees across 38 leisure facilities to monitor attendance, which was a requirement for workers to get paid
A Serco Leisure spokesperson said they introduced the biometric data almost five years agoto make clocking in and out easier for colleagues, however, they will adhere to the new guidelines. “We take this matter seriously and confirm we will fully comply with the enforcement notice.” Adding that the tech had been “well received by colleagues” and followed legal advice that said the use of the technology was permitted.
John Edwards, UK Information Commissioner from the ICO, said: “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.
“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.”
In the future, John Edwards warned that the ICO will demand that UK firms provide evidence that the use of such technologies is proportionate.
Last year, in an article by People Management, the ICO cited that: “Business interests must never be prioritised over the privacy of their workers”, publishing guidance for organisations to consider legal obligations and employees’ rights to privacy before implementing monitoring technology.
Further information on Data Protection and Surveillance can be found here
