The recent Information Commissioner’s Office decision against Serco will require employers to review their company policy on the use of facial recognition technology and fingerprint scanning to check employees’ presence in the workplace.
The ICO ordered Serco to stop all biometric processing for monitoring employee attendance, and for all illegally obtained biometric data to be destroyed. They were given a three month deadline to follow the enforcement notices. Failure to follow these notices can result in fines of up to £17.5 million – or 4% of the companies worldwide turnover, whichever is higher.
Navigating the Regulatory Landscape
In order to be compliant, employers must follow GDPR guidelines. Personal data identifying the employee – such as contracts of employment and payroll records, must be processed lawfully, fairly, and transparently according to Article 5 UK GDPR. Furthermore – according to Article 6 UK GDPR, there must be a clear and lawful basis for the processing of any data collected.
Biometric data is classified as personal data as it identifies the employees’ unique personal and physical characteristics. This includes data obtained through scanning a person’s fingerprints or face. Article 9 UK GDPR requires employers to explain the special category processing condition.
Analysing the ICO’s Recent Decision
The ICO found Serco had breached legislation by unlawfully processing the biometric data of over 2,000 of their employees. Furthermore, they also did not accept the processing of the data was necessary and/or contractually required under Article 6 of UK GDPR. The ICO’s position was that arguing necessity does not mean it was absolutely needed. Serco could have made use of far less intrusive methods – such as identity cards and/or electronic fobs, to effectively achieve the same result. Serco failed to provide evidence that these alternative methods were open to rife abuse. They also hadn’t considered using disciplinary procedures to deal with employees who abused the system, nor had they applied the balancing exercise under Article 6 to assess their legitimate interest against the employees’ fundamental freedoms.
On top of this, Serco had also failed to consult with their employees or give them an opportunity to object to the proposal. There was clear imbalance of power between employer Serco, and their employees. In fact, Serco had undertaken the mandatory Data Protection Impact Assessment, but the ICO found this too to be flawed due to the way it was dealt with under Section 9 UK GDPR.
Implications and Obligations for Employers
The ICO issued an enforcement notice against Serco for breach of Articles 5, 6 and 9 UK GDPR. There was a failure to set up lawful basis and category for processing the personal biometric data. As such, the ICO ordered Serco to stop all biometric processing for monitoring staff attendance, delete all illegally obtained biometric data, and gave them a three month deadline to follow their enforcement notices.
Considering this decision, employers should take urgent action to review and update policies and procedures on monitoring staff attendance – particularly if biometric technologies are in use. If you require any further guidance on this matter, please do not hesitate to contact the HR and EL Advice Line Team for FREE on 01455 852 028.
