In a blog post, the regulator said it had warned Serco Leisure, Serco Jersey and seven associated community leisure trusts to cease using the technology to track employees.
Staff have no clear way to opt out of the monitoring system, which increases the power imbalance in the workplace, the ICO said. Employees were not offered other less intrusive options to verify their attendance, such as ID cards.
The ICO has issued an enforcement notice telling Serco Leisure, a subsidiary of the services giant Serco, and related entities to cease using facial recognition for this purpose and to destroy all existing biometric data, other than that they are required to retain by law.
As a unique identifier of an individual, biometric data represents a unique security risk.
“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy,” said information commissioner John Edwards.
“Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”
Serco Leisure has been unlawfully processing biometric data of more than 2,000 employees across 38 facilities, the ICO said, and had failed to justify why the use of this technology was necessary and proportional.
The ICO has also published new guidance on the legitimate use of biometric data by for organisations using biometric recognition systems and for vendors and developers of such systems, which include facial recognition, fingerprint, iris scanning, voice, ear and behavioural recognition technologies.
The action against Serco Leisure should “put industry on notice that biometric technologies cannot be deployed lightly”, said Edwards.
“We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.”
Recently Edwards warned that companies playing fast and loose with data protection measures would be “not be profitable.”
We have asked Serco Leisure for comment.
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
