ICO orders Serco Leisure to cease facial recognition technology for employees
ICO orders Serco Leisure to halt biometric attendance monitoring after finding unlawful data processing. New guidelines released for organizations using biometric data, ensuring compliance with data protection regulations.
To monitor employee attendance, the UK Information Commissioner’s Office (ICO) has ordered Serco Leisure, a public service provider, Serco Jersey, and seven affiliated community leisure trusts to cease using fingerprint scanning and face recognition technology (FRT). The ICO’s investigation revealed unlawful processing of biometric data for over 2,000 employees across 38 leisure facilities.
It was also found that Serco Leisure failed to justify the necessity and proportionality of FRT and fingerprint scanning, lacking a demonstration of alternatives like ID cards or fobs. Employees were not offered alternatives and faced pressure, as biometric data was presented as a requirement for payment. The power imbalance made it difficult for employees to refuse biometric data collection for attendance checks. Enforcement notices from the ICO instruct Serco Leisure and trusts to halt biometric data processing for attendance monitoring and destroy non-legally mandated data within three months.
This enforcement measure coincides with the release of new guidance by the ICO aimed at organizations contemplating utilizing individuals’ biometric data. The guidance delineates how organizations can adhere to data protection regulations while employing biometric data for identification purposes.