Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Outsourcer Serco has been ordered to stop using facial recognition and fingerprint scanning to monitor attendance and pay staff as the UK watchdog cracks down for the first time on an employer processing the biometric data of its workers.
The Information Commissioner’s Office (ICO) found Serco Leisure, Serco Jersey and seven associated leisure trusts had been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities.
Despite controversy around the use of facial recognition technology, the Home Office last year outlined plans to potentially deploy new biometric systems nationally to allow police to track and find criminals.
The ICO said employees at Serco Leisure had not been offered a clear alternative to having their faces and fingers scanned to clock in and out, saying this had been presented as a requirement to get paid.
John Edwards, UK information commissioner, said this was “neither fair nor proportionate under data protection law”.
He added that Serco Leisure “did not fully consider the risks” and was “prioritising business interests over its employees’ privacy”. Biometric data was “wholly unique to a person” so the risks of harm in the event of inaccuracies or a security breach were much greater, Edwards said.
The ICO said it was unlikely staff would feel able to say no to the collection and use of their biometric data for attendance checks.
Serco Leisure said the company would “fully comply with the enforcement notice”.
The London-listed company added the technology had been introduced nearly five years ago to “make clocking in and out easier” and was “well-received by colleagues”.
Serco Leisure said the move had followed “external legal advice, which said the use of the technology was permitted”.
The ICO also ordered Serco Leisure and the trusts to destroy all biometric data that they are not legally obliged to retain.
The watchdog has previously taken enforcement action on biometric data.
In 2022, it fined Clearview AI more than £7.5mn for creating an online database that could be used for facial recognition using images of people collected from the internet and social media platforms.
The watchdog at the time ordered the company to stop obtaining and using the personal data of UK residents that was publicly available on the internet and to delete the data from its systems.
Privacy campaigners and independent academics have criticised facial recognition technology for being biased and inaccurate.
Madeleine Stone, senior advocacy officer at campaign group Big Brother Watch, said the ICO’s intervention was “welcome” but that it represented “a drop in the ocean given how common biometric surveillance is becoming in both workplaces and in public spaces across the country”.
The enforcement action came as the ICO published new guidance on using people’s biometric data, which included keeping it secure and complying with data protection obligations.
Edwards said the announcement “serves to put industry on notice that biometric technologies cannot be deployed lightly” and the ICO would “intervene and demand accountability”.
Read the full article here