ICO Bans Serco Leisure's Use of Facial Recognition for Employee Attendance

Written by

Serco Leisure has been ordered to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance by the UK’s data protection enforcement authority.

The Information Commissioner’s Office (ICO) said the company unlawfully processed biometric data of more than 2000 employees across 38 sporting and leisure facilities under UK data protection law.

Serco failed to show why it was necessary or proportionate to use FRT and fingerprint scanning, with the ICO stating that there are less intrusive means of attendance checks, such as ID cards or fobs.

The firm presented fingers and faces being scanned as a requirement to get paid, with employees not being offered an alternative method to clock in and out of their place of work.

“Due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks,” stated the ICO.

The order also requires Serco Leisure and associated trusts to destroy all biometric data they are not legally obliged to retain within three months of the enforcement notices being issued.

UK Information Commissioner John Edwards said that Serco’s use of FRT and fingerprint scanning was neither fair nor proportionate under data protection law.

“This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organizations are seeking to solve,” warned Edwards.

Employers Warned to Carefully Consider Legalities of Biometric Tech

The ICO has published new guidance for employers on monitoring staff, urging them to consider their legal obligations and their employee’s rights to privacy before implementing such measures.

Edwards added that organizations must be particularly careful when considering the use of biometric data, due to potential risks such as errors in identifying people accurately and bias if a system detects some physical characteristics better than others.

Responding to the ICO’s announcement, a Serco Leisure spokesperson confirmed the company will fully comply with the enforcement notice.

The spokesperson stated that the technology was rolled out five years ago to make clocking-in and out easier and simpler for staff, and its introduction was “well-received.”

The company added it also received external legal advice which said the use of the technology was permitted.

“Despite being aware of Serco Leisure’s use of this technology for some years, the ICO have only this week issued an enforcement notice and requested that we take action.

“We now understand this coincides with the publication of new guidance for organizations on processing of biometric data which we anticipate will provide greater clarity in this area,” Serco acknowledged.

An ICO survey published in October 2023 found that a fifth of UK adults believe they have been monitored by an employer, with 40% claiming they’ve had timekeeping and access monitored.

Bryony Long, partner and co-head of the data, privacy and cyber group at law firm Lewis Silkin, said the ICO's decision is of no surprise given the issue of forcing consent around the use of biometrics with employees.

Long commented: "Viable alternatives to the use of biometrics need to be offered to ensure consent is freely given. In this context, the ICO’s findings here are not surprising and shouldn’t come as a shock."

She added that the ICO's decision not to fine Serco demonstrates that the regulator is following through on its promise to consider and use the full range of powers in its enforcement toolkit.  

What’s hot on Infosecurity Magazine?