Serco has been ordered to stop using facial recognition technology to monitor its staff for “prioritising business interests over its employees’ privacy”.
The Information Commissioner’s Office (ICO) found that a division of the outsourcing company, Serco Leisure, and community leisure trusts were unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities across the UK.
The watchdog said facial recognition and fingerprint scanning were routinely used to monitor workers’ attendance and then the subsequent payment for their time.
The ICO found the leisure centre operator failed to show why these methods were needed over “less intrusive” means, such as ID cards, and staff were not offered a clear alternative.
It released details of the case as it published new guidance on companies’ use of biometric data to bolster understanding of the technology and where users could fall foul.
John Edwards, the UK Information Commissioner, said: “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.
“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy.
“There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.
“This is neither fair nor proportionate under data protection law and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully.”
A Serco Leisure spokesman said: “This technology was introduced at the leisure centres we manage nearly five years ago to make clocking-in and out easier and simpler for colleagues.
“We engaged with our team members in advance of its rollout and its introduction was well-received by colleagues.
“The introduction also followed external legal advice which said use of the technology was permitted.
“Despite being aware of Serco Leisure’s use of this technology for some years, the ICO have only this week issued an enforcement notice and requested that we take action.
“We now understand this coincides with the publication of new guidance for organisations on processing of biometric data which we anticipate will provide greater clarity in this area.
“We take this matter seriously and confirm we will fully comply with the enforcement notice.”