General Data Protection Regulation (GDPR) , Identity & Access Management , Security Operations
Privacy Watchdog Cracks Down on Biometric Employee Tracking
Leisure Center Operators Ordered to Stop Using Facial and Fingerprint RecognitionA private company that runs dozens of British community leisure centers must stop using facial recognition and fingerprint scanning to track employees.
See Also: Identity Security Trailblazers - Health First
The U.K. Information Commissioner's Office found Serco Leisure and seven trusts with which it works had been "unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time."
Serco Leisure, based in Leicester, England, manages a number of leisure centers - roughly analogous to U.S. rec centers - including 37 in England and one on the Channel Island of Jersey - that were the focus of the regulator's probe. The limited company is fully owned by publicly traded British multinational Serco, which earned $5.7 billion in revenue in 2021.
The company faces no fine, provided it complies with the notice. "We take this matter seriously and confirm we will fully comply with the enforcement notice," a Serco spokesperson told Information Security Media Group in a statement.
The ICO on Friday published new guidance for any organization considering using biometric recognition, meaning using "biometric data to uniquely identify someone." The regulator said it issued the guidance in part because the term is not defined by current data protection laws.
In Serco's case, the ICO said Friday that the company had failed to demonstrate why using facial recognition technology and fingerprint scanning was "necessary or proportionate" and that by doing so it had violated the U.K. General Data Protection Regulation.
"Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater - you can't reset someone's face or fingerprint like you can reset a password," said U.K. Information Commissioner John Edwards. "Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritizing business interests over its employees' privacy."
"There have been a number of warnings that facial recognition and fingerprints are problematic," said attorney Jonathan Armstrong, a partner at Cordery Compliance. "Most data protection regulators don't like technology like this when it is mandatory for employees. If you're looking at this you'll need a solid data protection impact assessment setting out why the tech is needed, why there are no better solutions, and what you're doing to minimize the impact on those affected.*
The ICO served Serco with a preliminary enforcement notice about over the matter on Nov. 7, 2023.
Questions about the extent to which employers can monitor employees surged during the pandemic. Many of those queries centered on presence monitoring, especially as once office-bound companies had been forced to let employees work remotely.
Serco's use of biometrics predated the pandemic. For leisure center employees to clock in and out, the company first began using facial recognition technology made by SWT Software Limited, trading as ShopWorks, in May 2017, when it began operating a site that already used it. The company further trialed the technology for other leisure center employees in 2018 and rolled it out in a more widespread manner in 2019 and November 2022.
The Serco spokesperson said the company had vetted the new system with employees and that "the introduction also followed external legal advice which said use of the technology was permitted." The company said it welcomed "the publication of new guidance for organizations on processing of biometric data which we anticipate will provide greater clarity in this area."
According to the ICO's investigation, the ShopWorks facial recognition equipment registers an employee by taking three pictures of their face and using the pictures to "to create a biometric map based on the employee's facial features," which is stored in encrypted form, together with their employee ID number. When an employee clocks in or out, after the system confirms their identity, it doesn't send the biometric data to a ShopWorks server. It send only the time and employee ID number, confirming their identity was verified.
The privacy watchdog first began investigating Serco's use of biometrics in 2019, after receiving a complaint. Following the ICO's inquiries, Serco in 2020 produced a data protection impact assessment and a legitimate interests assessment, which state that using biometrics is a contractual necessity and in employees' legitimate interest.
After conducting a full investigation, the regulator disagreed, saying Serco's conclusions showed "a lack of understanding" of the country's data protection requirements. "There are less intrusive means available such as ID cards or fobs," although the company offered employees no such options, the ICO said.
"Due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks," the ICO said.
Serco told the ICO it had introduced biometrics checks to counter abuse of previous clock-in and clock-out approaches, including "buddy punching," which involves radio-frequency identification cards being kept in communal areas and used inappropriately, as well as "falsified time cards," which refers to the fraudulent use of manual sign-in sheets.
"Serco did not provide any figures or evidence indicating the number of employees abusing the system," the ICO said.
"Tech like this has to be the last resort not the first and this is likely to be an area of even greater focus with the rise in AI applications," Cordery's Armstrong told ISMG. "Just because we can now use tech like this doesn't mean to say we should."
*Update Feb. 26, 204 20:51 UTC: Adds additional comment.