Biometric Attendance Monitoring gets the thumbs down
At the end of February, the Information Commissioner ordered Serco Leisure to stop using facial recognition and fingerprint scanning to check attendance and authorise pay. This followed an investigation affecting 38 leisure centres and over 2000 staff.
What happened?
Serco was unable to show that the practice was fair, proportionate, and necessary. The Information Commissioner concluded that risks had not been fully considered and business interests had been prioritised over employees’ privacy.
The Information Commissioner, John Edwards, commented on the case, saying “…Biometric technologies cannot be deployed lightly. Organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”
In another, separate judgement, Clearview AI Inc was fined £7.5 million and ordered to destroy UK personal data deemed unlawful. Clearview had ‘scraped’ over 20 billion images from the internet to create an online global database for clients including police forces. However, people had not been informed their images were being collected or used in this way.
So, what’s the real issue for employers?
In the words of the Information Commissioner, “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”
If you use – or are contemplating – biometric access technologies, you need to ensure:
- You identified and minimised risk by conducting a data processing impact assessment.
- You can demonstrate use is necessary – not just useful, desirable or convenient.
- Use is proportionate, legally compliant and there are no less intrusive alternatives.
- You have specifically recognised that biometric data is special category personal data.
- Security considerations are integral to data collection, use, retention, and disposal.
- You are being transparent with staff about the intended use.
- Should staff dissent, you can offer an alternative, less intrusive process.
More extensive guidance is available from the Information Commissioner here.
Wrapping up
GDPR and the UK Data Protection Act is six years old in May. Have you reviewed your staff data protection provisions during this time? You can be fined up to £20 million for serious infringements. Moorepay can assist you to conduct an audit to help ensure you’re legally compliant. Find out more on our HR & Employment Law Services page, or check out our Knowledge Centre for more information around GDPR.