The Information Commissioner’s Office has issued enforcement notices ordering Serco Leisure and sports centres it operates to stop biometric attendance monitoring, including facial recognition and fingerprint scanning when workers clock in and out.
An ICO investigation found that Serco Leisure, Serco Jersey and seven community leisure trusts have been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities to monitor attendance and subsequently calculate their pay.
The ICO said that they failed to show why it is necessary or proportionate to use facial recognition technology and fingerprint scanning when less intrusive means are available such as identity cards or fobs.
Attendance monitoring
In-depth: When does keeping tabs on working time overstep the line?
It said employees have not been proactively offered an alternative to having their faces and fingers scanned to clock in and out of their place of work, and that biometric attendance monitoring was a requirement to get paid.
The ICO has now issued enforcement notices instructing Serco and the trusts to stop all processing of biometric data for monitoring employees’ attendance at work, as well as to destroy all biometric data that they are not legally obliged to retain. This must be done within three months of the enforcement notices being issued.
John Edwards, UK information commissioner, said: “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.
“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.
“This is neither fair nor proportionate under data protection law, and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully.”
The enforcement action comes as the ICO published new guidance for organisations considering using people’s biometric data, outlining how organisations can comply with data protection law when using biometric data to identify people.
A Serco Leisure spokesman said: “This technology was introduced at the leisure centres we manage nearly five years ago to make clocking in and out easier and simpler for colleagues. We engaged with our team members in advance of its rollout and its introduction was well-received by colleagues.
“The introduction also followed external legal advice which said use of the technology was permitted. Despite being aware of Serco Leisure’s use of this technology for some years, the ICO have only this week issued an enforcement notice and requested that we take action.
“We now understand this coincides with the publication of new guidance for organisations on processing of biometric data which we anticipate will provide greater clarity in this area. We take this matter seriously and confirm we will fully comply with the enforcement notice.”
Professor Keiichi Nakata, director of AI at Henley Business School’s World of Work Institute, said: “The key issue in this case is that Serco did not provide any alternatives for their employees to using biometric data. Some people might be willing to be subjected to biometric identification for the sake of convenience in exchange for their personal data, but this is not universal.
“This case warns employers against introducing technologies without due care and empathy towards employees – especially when there are concerns about intrusion on their privacy. As such, this is not only the issue of non-compliance to GDPR but also poor employee management.”
The ICO enforcement notices on the use of biometric attendance monitoring were issued to Serco Leisure Operating, Serco Jersey, Birmingham Community Leisure, Bolton Community Leisure, Maidstone Leisure Trust, More Leisure Community Trust, Northern Community Leisure Trust, Shropshire Community Leisure Trust, and Swale Community Leisure.
In October 2023, the ICO issued guidance for employers on workplace monitoring, including any tracking of remote workers’ activities.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
HR roles in hospitality and leisure on Personnel Today
Browse more HR roles in hospitality and leisure
