July 13, 2024

Eight leisure operators have been issued with enforcement notices regarding the use of biometric data

The UK’s Information Commissioner’s Office says the activity breaches new data protection law. The warning relates to the use of fingerprint and facial recognition technology

The operators have been using biometrics for years to measure attendance. They must now desist and destroy all data

The ICO has singled out Serco Leisure in its press release relating to the ruling. HCM editor, Liz Terry, has challenged this decision to victimise Serco

The ICO has ruled that eight leisure operators have been unlawfully processing the biometric data of their employees to be used for attendance checks and the resulting salary payments.

Enforcement notices have been issued instructing the organisations in question to stop the processing of biometric data for monitoring employees’ attendance at work, as well as to destroy all biometric data that they are not legally obliged to retain within three months.

Enforcement notices have been issued to Serco Leisure, Serco Jersey, Birmingham Community Leisure Trust, Bolton Community Leisure, Shropshire Community Leisure Trust, More Leisure Community Trust, Northern Community Leisure Trust, Maidstone Leisure Trust and Swale Community Leisure.

The ICO argued that the trusts failed to show why it is necessary, or proportionate, to use facial recognition technology and fingerprint scanning when there are less intrusive means available, such as ID cards or fobs.

John Edwards, UK information commissioner at the ICO, said: “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies, or a security breach, are much greater. You can’t reset someone’s face or fingerprint like you can reset a password.

The ICO has singled out Serco Leisure in making its ruling, press-releasing its decision with Serco as the lead subject line and in a statement Edwards continued this targeting of the company, saying: “Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.

“This is neither fair nor proportionate under data protection law, and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully.”

A Serco Leisure spokesperson has defended its decision to implement the technology, pointing out that it has been in use for many years and that the ICO had been aware for some considerable time of the situation, but saying it’s taking the matter seriously and will fully comply with the enforcement notice.

“This technology was introduced at the leisure centres we manage nearly five years ago to make clocking-in and out easier and simpler for colleagues,” said Serco.

“We engaged with our team members in advance of its roll-out and its introduction was well-received by colleagues. The introduction also followed external legal advice which said use of the technology was permitted.

“Despite being aware of Serco Leisure’s use of this technology for some years, the ICO have only this week issued an enforcement notice and requested that we take action. We now understand this coincides with the publication of new guidance for organisations on processing of biometric data which we anticipate will provide greater clarity in this area.”

Liz Terry, editor of HCM said “We strongly question the ICO’s decision to single out Serco Leisure for such high-level publicity in relation to this ruling, given there are eight operators named in this action and all have been equally advised.

“Given the sensitive nature of this matter, it seems extremely unreasonable to do this, most especially as the timing of the ICO’s announcement coincides with the a launch of its new guidance note.

“It should not be the position of any Quango to victimise individual organisations and cause them reputational harm in this way.”

The ICO is funded through data protection fees and fines.


Leave a Reply

Your email address will not be published. Required fields are marked *