The Information Commissioner’s Office (ICO) has ordered Serco Leisure to stop using facial recognition and fingerprint scanning to monitor staff attendance.
The regulator also called for seven associated community leisure trusts to halt all use of the technology after it found that they, along with Serco Leisure, unlawfully processed the biometric data of more than 2,000 employees across 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time.
The ICO said that the organisations involved had failed to show why it was necessary or proportionate to use these kind of technologies when there are less intrusive means available such as ID cards or fobs.
Employees across the trusts were not given an alternative to having their faces and fingers scanned to clock in and out, and this was presented as a requirement in order for them to get paid.
"Due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks," said the ICO.
The government office has now issued enforcement notices to Serco Leisure; Birmingham Community Leisure Trust Limited; Bolton Community Leisure Limited; Shropshire Community Leisure Trust Limited; More Leisure Community Trust Limited; Northern Community Leisure Trust Limited; Maidstone Leisure Trust Limited; and Swale Community Leisure.
The notice forces the eight companies to both stop the processing of biometric data and destroy any data that they are not legally obliged to retain within the next three months.
"Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater - you can't reset someone's face or fingerprint like you can reset a password," said John Edwards, UK information commissioner. “Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy."
A spokesperson from Serco Leisure said that the technology was introduced across the leisure centres it manages nearly five years ago to make clocking in and out "easier and simpler" for its employees.
The company explained that it had engaged with its staff prior to implementing the facial technology, adding that it had been "well-received".
The business also sought out external legal advice before rolling out the tech which said that it was permitted.
“Despite being aware of Serco Leisure's use of this technology for some years, the ICO have only this week issued an enforcement notice and requested that we take action," continued the spokesperson. "We now understand this coincides with the publication of new guidance for organisations on processing of biometric data which we anticipate will provide greater clarity in this area."
Recent Stories