Privacy concerns | Major leisure firm ordered to stop using facial recognition tech to track staff attendance

Major leisure firm ordered to stop using facial recognition tech to track staff attendance

The UK's data watchdog has ordered a major leisure firm to axe its use of facial recognition and fingerprint scanning tech to monitor staff.

The Information Commissioner’s Office (ICO) ordered public service provider Serco Leisure, Serco Jersey and seven associated community leisure trusts to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance.

The ICO’s investigation found that Serco Leisure and the trusts have been "unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time."

The watchdog said the firm had "failed to show why it is necessary or proportionate to use FRT and fingerprint scanning for this purpose, when there are less intrusive means available such as ID cards or fobs."

Read more from us

It added that employees have not been proactively offered an alternative to having their faces and fingers scanned to clock in and out of their place of work, and it has been presented as a requirement in order to get paid.

"Due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks" the ICO said.

An enforcement notice has now been issued instructing Serco Leisure and the trusts to stop all processing of biometric data for monitoring employees’ attendance at work, as well as to destroy all biometric data that they are not legally obliged to retain. This must be done within three months of the enforcement notices being issued.

'Business interests prioritised over employee privacy'

John Edwards, UK Information Commissioner, said: "Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater - you can't reset someone's face or fingerprint like you can reset a password.

“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.

“This is neither fair nor proportionate under data protection law, and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully.”

The enforcement action comes as the ICO today publishes new guidance for all organisations that are considering using people’s biometric data. The guidance outlines how organisations can comply with data protection law when using biometric data to identify people.

Edwards added: “This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.

“Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”

A spokesperson for Serco said: “Despite being aware of Serco Leisure's use of this technology for some years, the ICO has only this week issued an enforcement notice and requested that we take action. We now understand this coincides with the publication of new guidance for organisations on processing of biometric data, which we anticipate will provide greater clarity in this area.

“We take this matter seriously and confirm we will fully comply with the enforcement notice.”

The ethics of employee surveillance

According to the ICO, almost one in five (19%) people believe that they have been monitored by an employer. If monitoring becomes excessive, it can easily intrude into people’s private lives and undermine their privacy.

Over two thirds (70%) of people surveyed by the ICO said they would find monitoring in the workplace intrusive and fewer than one in five (19%) people would feel comfortable taking a new job if they knew that their employer would be monitoring them.

With the rise of remote working and developments in the technology available, many employers are looking to carry out checks on workers, ranging from facial recognition tools to monitoring the keystrokes of employees. And many have found themselves in hot water as a result.

In January 2024, France’s data watchdog fined Amazon’s French arm more than £27million over what it described as an "excessively intrusive" surveillance system set up to monitor the performance of staff.

And back in 2020, accounting giants PwC came under fire for developing their own facial recognition tool to help them monitor staff working from home.The technology was designed to alert bosses when workers stepped away from their desks, including to make a drink or use the bathroom.

Similarly, banking giant Barclays piloted a computer monitoring system to log the “effectiveness” of employees when at their desks.

Just over a week later, the firm pulled the plug on the tracking system in response to negative “colleague feedback”.

Such incidents led the ICO to publish new guidance in October to help employers fully comply with data protection law if they wish to monitor their workers.

Aimed at employers across both the public and private sector, the guidance provides clear direction on how monitoring can be conducted lawfully and fairly. As well as outlining legal requirements, it also includes good practice advice to help employers build trust with their workers and respect their rights to privacy.

Emily Keaney, Deputy Commissioner - Regulatory Policy at the Information Commissioner’s Office, said: “Our research shows that today’s workforce is concerned about monitoring, particularly with the rise of flexible working - nobody wants to feel like their privacy is at risk, especially in their own home.

“As the data protection regulator, we want to remind organisations that business interests must never be prioritised over the privacy of their workers.

Transparency and fairness are key to building trust and it is crucial that organisations get this right from the start to create a positive environment where workers feel comfortable and respected.

Read more from us

“We are urging all organisations to consider both their legal obligations and their workers’ rights before any monitoring is implemented. While data protection law does not prevent monitoring, our guidance is clear that it must be necessary, proportionate and respect the rights of workers. We will take action if we believe people’s privacy is being threatened.”

Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity.

If an organisation is looking to monitor workers, it must take steps including:

  • Making workers aware of the nature, extent and reasons for monitoring.

  • Having a clearly defined purpose and using the least intrusive means to achieve it.

  • Having a lawful basis for processing workers data – such as consent or legal obligation.

  • Telling workers about any monitoring in a way that is easy to understand.

  • Only keeping the information which is relevant to its purpose.

  • Carrying out a Data Protection Impact Assessment for any monitoring that is likely to result in a high risk to the rights of workers.

  • Making the personal information collected through monitoring available to workers if they make a Subject Access Request (SAR).

The guidance provides an overview of how data protection law applies to the processing of personal data for monitoring workers. It also considers specific types of monitoring practices, including the use of biometric data to monitor timekeeping and attendance.

You are currently previewing this article.

This is the last preview available to you for the next 30 days.

To access more news, features, columns and opinions every day, create a free myGrapevine account.