Serco Leisure, Serco Jersey and seven associated community trusts were found to have unlawfully used facial recognition technology (FRT) and fingerprint scanning to monitor more than 2,000 employees’ attendance across 38 leisure facilities.
The ICO issued enforcement notices last week, instructing Serco Leisure and its trusts to stop processing employees’ biometric data, as well as to destroy its remaining data within three months.
This comes after the data watchdog published new biometric data guidance for employers last week (23 February), though this is the first time that the ICO has taken enforcement action against an employer.
The guidance explains what biometric data is and how employers can ensure that they remain compliant with UK GDPR.
Alexandra Mizzi, legal director at Howard Kennedy, told HR magazine: “The ICO's order shouldn't come as a surprise, since the legal requirements for use of biometric data by employers are very stringent.
“Any organisation wishing to process such data needs to have a lawful basis for doing so and a valid condition under the Data Protection Act.”
Read more: ICO publishes employer guidance on lawful workplace monitoring
She added that these conditions are often not easily translated into employment settings because of the power imbalance between employers and employees.
Mizzi continued: “In this case, Serco attempted to rely on 'explicit consent' [as its condition] but for this to apply there must be a real choice for the employee, with a genuine and suitable alternative and the ability to refuse or withdraw consent at any time.
“Employers also need to consider whether relying on consent is appropriate, given the inevitable power imbalance.”
Mizzi noted that FRT also poses a discrimination risk.
She said: “Facial recognition technology can also be problematic from a discrimination standpoint, as it is much more likely to misidentify non-white individuals.
“Employers should consider these risks carefully when putting monitoring systems in place.”
Kate Palmer, employment services director at Peninsula, said that using biometric data not only poses a risk of non-compliance with data laws but could also risk employees’ trust in the company.
Read more: Worker surveillance disproportionately affects low-skilled jobs
She told HR magazine: “Given that the very nature of biometric data means that it is more closely identified to a specific person, the risk of harm can be higher if there are inaccuracies or a security breach.
“There is also an implied duty of trust and confidence owed to each employee.
“If monitoring of employees breaches this implied duty, then an employee could resign and bring a constructive unfair dismissal claim.”
She noted that if employers want to progress with monitoring attendance, they should adopt the least invasive methods.
She said: “Other monitoring methods may be used by the company including clocking in and out systems or reviewing data from barrier gates where staff must swipe their ID card to gain entry.”
“If the decision is made to progress with employee monitoring, then employees should be given detailed information including when their information will be obtained, why, how it will be used and to who it will be disclosed.”
A spokesperson for Serco said: "Despite being aware of Serco Leisure's use of this technology for some years, the ICO have only [last] week issued an enforcement notice and requested that we take action.
"We now understand this coincides with the publication of new guidance for organisations on processing of biometric data, which we anticipate will provide greater clarity in this area.
“We take this matter seriously and confirm we will fully comply with the enforcement notice.”