Thousands of employees’ biometric data must be deleted, according to a new ruling by the Information Commissioner’s Office. Serco, one of the UK’s largest employers was told to stop using fingerprint scanners and facial recognition software for staff clocking on and off in a warning that could force many other employers to change their practices.
The ICO found that thousands of people had their biometric data unlawfully processed at 38 leisure centres managed by Serco and gave the company three months to get its house in order. This comes after an Uber Eats driver received a financial payout from the delivery app for racial discrimination, as the facial recognition checks it forced drivers to undertake were not recognising people of colour. Some drivers were even dismissed when the app consistently failed to recognise them.
Serco was found to be in breach of GDPR by failing to show why it was necessary or proportionate to use biometric data for clocking in and out, when there are less intrusive ways of achieving the same ends, such as ID cards or key fobs. Neither were employers offered an alternative to fingerprint and facial scanning, and doing so was made a requirement to get paid.
The information commissioner John Edwards warned other employers who may be committing the same breaches. He said:
“Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password. This is neither fair nor proportionate under data protection law, and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully.”
In 2020, Barclays scrapped an employee-tracking system that monitored employers at their desks and warned those who left their computers. The ICO has previously taken enforcement action in relation to biometric data and facial recognition. In May 2022, the watchdog fined the US-based Clearview AI £7.5m and ordered the data of UK residents be deleted from its systems after finding “serious breaches” of data protection law.
Other operators have followed the ICO’s guidance, including Virgin Active who pulled biometric scanners from dozens of leisure centres. The Trades Union Congress warned in 2022 that the use of intrusive surveillance technology and artificial intelligence risked “spiralling out of control” without stronger regulation to protect workers.
What to do now:
- Review any biometric data collection processes
- Consider if biometric data is necessary or proportionate
- Ensure staff have other alternatives available
- Remove biometric data collection if it cannot be justified