Tech News : Firm Ordered To Stop Employee Face-Scanning

Written by Pronetic

Pronetic is a leading provider of core IT support for ISO 27001, Cyber Essentials and Cyber Essentials Plus compliance.

February 28, 2024

The UK Information Commissioner’s Office (ICO) has ordered Serco Leisure to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance.  

Not Necessary or Proportionate 

An ICO investigation found that public service provider Serco Leisure, Serco Jersey and seven associated community leisure trusts had been “unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time.“ 

The ICO said that Serco Leisure had failed to show why it was necessary or proportionate to use FRT and fingerprint scanning for this purpose. 

Alternative 

Also, the ICO made the point that Serco Leisure could have used less intrusive alternatives to achieve the same thing, such as ID cards or fobs. However, it was found that Serco Leisure had not proactively offered an alternative to employees having their faces and fingers scanned to clock in and out of their place of work, and this had been “presented as a requirement” in order for them to get paid 

Imbalance of Power … And Unlawful

The ICO’s investigation concluded that the compulsory biometric scanning system linked to attendance and pay used by Serco Leisure had left employees no way to opt-out and feeling unable to decline the collection and usage of their biometric data. 

Crucially, the ICO found that this was “neither fair nor proportionate under data protection law.” 

Enforcement Notices 

The ICO has, therefore, issued Serco Leisure and its trusts with enforcement notices instructing them to stop all processing of biometric data for monitoring employees’ attendance at work, and to destroy all biometric data that they are not legally obliged to retain. The ICO says that “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.” 

Serco Leisure and the trusts have been given three months to comply. 

New Guidance About The Use Of Biometric Data 

In their reporting of the case, the ICO referred to the fact that it has just published new guidance about how to comply with the law for organisations considering using people’s biometric data. The guidance can be found on the ICO’s website here

What Does This Mean For Your Business? 

In the case of Serco Leisure as reported by the ICO, it seems the salient facts were that the biometric system was disproportionate and intrusive, while no alternatives were offered (there was no way to opt-out). Also, a person’s biometric data (e.g. images of their face and their fingerprints) are legally regarded as their personal data and, as the ICO points out, the theft of biometric data in a breach would be far more damaging than the theft of passwords, which can be reset.

The takeaway here for businesses is that although the use of biometric data may serve a business in terms of accuracy, there must be a balance, plus there’s employee morale and trust to consider as well as the law. Close attention must be paid to all aspects of data protection law anyway but for businesses and organisations thinking about introducing a biometric system, a good starting point would be to study and take note of the new “Biometric data guidance: Biometric recognition” guidelines on the ICO’s website. 

You May Also Like…

0 Comments

Why Choose Pronetic

We Are ISO 27001 & Cyber Essentials Plus Certified

Be reassured that we have been externally audited. You can have complete peace of mind that the team managing your IT systems and safeguarding your data are independently vetted annually.

Seamless & Comprehensive IT Support

Our investment in people, tools and processes, continuously improved, ensures that we don’t just deliver exceptional I.T. support but include your compliance to Cyber Essentials or ISO 27001 “baked-in”. Yes, that means no more annual headaches and stress when your certification comes round.

Expert Support Money Back Guarantee

We're confident in the value we deliver. That's why we offer a 90-day, no-quibble money-back guarantee. If, for any reason, you're not completely satisfied with our IT support services, we'll provide a full refund and cancel your contract without any hassle.

Book Your Free IT Strategy Call Now!

Simply Fill In The Form Below To Receive Your Free IT Strategy Call:

By submitting this form, you consent to us using your personal information to contact you. For more information please see our privacy policy.