The Information Commissioner’s Office (ICO) has instructed Serco, a prominent government contractor, to discontinue the use of facial recognition technology (FRT) and fingerprint scans for monitoring its employees. The ruling affects more than 2,000 employees across 38 leisure facilities managed by Serco throughout the UK.
The ICO determined that Serco’s use of FRT and fingerprint scanning was not justified as necessary or proportionate under data protection laws. The company has been given three months to cease the use of this technology or face fines of up to £17.5 million or 4% of turnover.
John Edwards, the UK Information Commissioner, emphasized the unique risks associated with biometric data, highlighting that unlike passwords, facial features or fingerprints cannot be reset in case of inaccuracies or security breaches.
Serco’s leisure facilities operate on behalf of community trusts, local authorities, and Sport England. The ICO’s order extends to Serco Leisure, Serco Jersey, and seven community trusts associated with facility management.
The investigation revealed that employees were not provided with alternative methods for attendance monitoring, and the use of FRT and fingerprint scans was mandatory for payment purposes. Due to the power imbalance between Serco Leisure and its employees, individuals might feel compelled to consent to the collection and use of biometric data.
The ICO’s report highlighted a case where an employee raised concerns about the use of FRT but was not offered an alternative solution. Instead, the company arranged a meeting between the employee and the technology provider, ShopWorks, but insisted on the continued use of the system upon the employee’s return to work.
In response, a Serco Leisure spokesperson stated that the technology was introduced to simplify clocking-in and out procedures and was well-received by employees. However, they acknowledged the ICO’s enforcement notice and expressed readiness to comply fully.
The spokesperson also noted that the timing of the enforcement notice coincides with the release of new guidance on the processing of biometric data, which may offer additional clarity on the matter.
Serco affirmed its commitment to adhering to the ICO’s directives and ensuring compliance with data protection regulations regarding the use of biometric technology in the workplace.