The UK Information Commissioner’s Office (ICO) has issued a biometric recognition enforcement notice against Serco Leisure (Serco Leisure enforcement notice) for their unlawful use of facial recognition technology and fingerprint scanning to monitor employee attendance.

Serco Leisure enforcement notice order

In the enforcement notice, the commissioner’s office ordered Serco Leisure and the associated trustsĀ  to urgently take the following action:

  • immediately cease all processing of biometric data for monitoring employee attendance at work; and
  • destroy all non-essential biometric data.

Timeline to comply

The commissioner’s office gave Serco Leisure three months to comply with the order in the Serco Leisure enforcement notice. This means that Serco Leisure must implement the above orders by 19 May 2024. Failure to comply with the enforcement notice could result in a penalty notice under section 155(1)(b) of the DPA 2018, requiring payment of an amount up to Ā£17,500,00 or 4% of Serco Leisure’s total annual worldwide turnover, whichever is the higher.

Commissioner’s findings

Based on the commissioner’s statement, the commissioner found that Serco Leisure and the associated trusts were unlawfully processing the biometric data of over 2,000 employees for the following reasons:

  • lack of necessity and proportionality. Serco and the trusts failed to demonstrate why FRT and fingerprint scanning were essential or proportionate to the task. This violated the principles of data minimisation and purpose limitation. The commissioner found that less intrusive alternatives existed for attendance monitoring.
  • absence of clear opt-out. The trusts didn’t offer employees a clear alternative to using the FRT and fingerprint scanners. Since the system was presented as mandatory for receiving pay, it created an obligation for employees and raised concerns about coercion and lack of informed consent.

The commissioner found that these actions were in contravention of articles 5, 6, and 9 of the GDPR and sections 4 and 6 of the DPA.

What you can learn from the Serco Leisure enforcement notice

You can learn several things from the commissioner’s biometric recognition enforcement notice.

  • Ensure that you carefully consider the necessity and proportionality when using sensitive data like biometrics. Less intrusive alternatives should be explored and implemented whenever possible.
  • Obtaining informed consent is crucial when collecting and processing personal data, especially sensitive data like biometrics. This means individuals should be informed about how their data is collected, used, and stored, and they should have a genuine choice to opt-out if they wish.
  • You have a responsibility to mitigate potential risks associated with data collection. This includes ensuring the accuracy of biometric identification systems and addressing potential biases in the technology.
  • Be transparent about your data practices. Clearly explain how you collect, use, and store personal information in your privacy policy. The Privacy Policy must be readily available to your data subjects. Your website is a good place for it.

Actions you can take

To avoid receiving a similar enforcement notice, responsible parties should: