Biometric Attendance Monitoring gets the thumbs down | Moorepay
April 29, 2024

Biometric Attendance Monitoring gets the thumbs down

biometric finger scanner

At the end of February, the Information Commissioner ordered Serco Leisure to stop using facial recognition and fingerprint scanning to check attendance and authorise pay. This followed an investigation affecting 38 leisure centres and over 2000 staff.

Serco was unable to show that the practice was fair, proportionate, and necessary. The Information Commissioner concluded that risks had not been fully considered and business interests had been prioritised over employees’ privacy.

The Information Commissioner, John Edwards, commented on the  case, saying “…Biometric technologies cannot be deployed lightly. Organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”

In another, separate judgement, Clearview AI Inc was fined £7.5 million and ordered to destroy UK personal data deemed unlawful. Clearview had ‘scraped’ over 20 billion images from the internet to create an online global database for clients including police forces. However, people had not been informed their images were being collected or used in this way.

So, what’s the real issue for employers?

In the words of the Information Commissioner, “Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”

If you use – or are contemplating – biometric access technologies, you need to ensure:

  • You identified and minimised risk by conducting a data processing impact assessment.
  • You can demonstrate use is necessary – not just useful, desirable or convenient.
  • Use is proportionate, legally compliant and there are no less intrusive alternatives.
  • You have specifically recognised that biometric data is special category personal data.
  • Security considerations are integral to data collection, use, retention, and disposal.
  • You are being transparent with staff about the intended use.
  • Should staff dissent, you can offer an alternative, less intrusive process.

More extensive guidance is available from the Information Commissioner here.

GDPR and the UK Data Protection Act is six years old in May. Have you reviewed your staff data protection provisions during this time? You can be fined up to £20 million for serious infringements. Moorepay can assist you to conduct an audit to help ensure you’re legally compliant. Find out more here, or check out our Knowledge Centre for more information around GDPR.

Share this article

Want a round-up of stories like this delivered to your inbox?

Pop in your email address below.

mike fitz
About the author

Mike Fitzsimmons

Mike is a Senior HR Consultant within the Moorepay Policy Team. He is responsible for the developing of employment documentation and is an Employment law advisor. With over 30 years of senior management and HR experience, Mike has managed teams of between 30 and 100 employees and is familiar with all the issues that employing people brings. He has also served as a non-executive director on the Boards of several social enterprises and undertook a five year tour of duty as Executive Chair of a £30+ million annual turnover Government agency.

Sign up to our newsletter

For more useful content like this!