Biometric crackdown by UK regulator puts focus on big data at work

Thousands of employees’ biometric data must be deleted, according to a new ruling by the Information Commissioner’s Office. Serco, one of the UK’s largest employers was told to stop using fingerprint scanners and facial recognition software for staff clocking on and off in a warning that could force many other employers to change their practices.

The ICO found that thousands of people had their biometric data unlawfully processed at 38 leisure centres managed by Serco and gave the company three months to get its house in order. This comes after an Uber Eats driver received a financial payout from the delivery app for racial discrimination, as the facial recognition checks it forced drivers to undertake were not recognising people of colour. Some drivers were even dismissed when the app consistently failed to recognise them.

Serco was found to be in breach of GDPR by failing to show why it was necessary or proportionate to use biometric data for clocking in and out, when there are less intrusive ways of achieving the same ends, such as ID cards or key fobs. Neither were employers offered an alternative to fingerprint and facial scanning, and doing so was made a requirement to get paid.

The information commissioner John Edwards warned other employers who may be committing the same breaches. He said:

“Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password. This is neither fair nor proportionate under data protection law, and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully.”

In 2020, Barclays scrapped an employee-tracking system that monitored employers at their desks and warned those who left their computers. The ICO has previously taken enforcement action in relation to biometric data and facial recognition. In May 2022, the watchdog fined the US-based Clearview AI £7.5m and ordered the data of UK residents be deleted from its systems after finding “serious breaches” of data protection law.

Other operators have followed the ICO’s guidance, including Virgin Active who pulled biometric scanners from dozens of leisure centres. The Trades Union Congress warned in 2022 that the use of intrusive surveillance technology and artificial intelligence risked “spiralling out of control” without stronger regulation to protect workers.

What to do now:

Review any biometric data collection processes
Consider if biometric data is necessary or proportionate
Ensure staff have other alternatives available
Remove biometric data collection if it cannot be justified

Get to grips with data protection in today’s artificial intelligence world with our free webinar on Wednesday 22 May, 12pm UK time

Webinar registration

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”