Updated ICO guidance on using biometric data in monitoring workers

The Information Commissioner's Office (ICO) brought an enforcement notice against Serco Leisure at the end of February 2024 ordering the employer to stop using facial recognition technology to monitor attendance of leisure centre employees.

Since then, the ICO has issued updated guidance on the use of such technology by employers in monitoring workers.

In this update, we summarise the key points from that case (and the ICO's guidance) and takeaways for employers.

Why did the ICO determine this processing of data was unlawful?

• Serco Leisure claimed it had 'lawful' bases for processing the biometric data (‘contractual necessity’ and ‘legitimate interests’), stating it needed to process attendance data to comply with its legal obligations for working time and tax.
• Crucially, whilst Serco Leisure asserted that alternatives would be considered if employees did not want the biometric technology to apply to them, the ICO found that, in reality, employees were not offered a clear alternative, nor a way to object to the processing.
• In fact, biometric data processing had been presented by Serco Leisure as a requirement to get paid and that objection could result in disciplinary action. Due to the imbalance of power between the employee and the employer, the ICO thought it was unlikely that employees would feel able to oppose the requirement.
• In the ICO's view, less intrusive means could have been used to verify attendance e.g., identification cards, key fobs, or sign-in and out sheets. Serco Leisure had sought to argue that such methods were open to abuse, but failed to provide supporting evidence or explain why disciplinary action would not be sufficient in such circumstances.
• Therefore, the ICO ordered Serco Leisure to stop using FRT and fingerprint scanning and to destroy all biometric data within 3 months of the data of the enforcement notice. No fine has been issued at this stage.

In light of this case and the ICO's guidance, the key points to consider for employers are as follows:

• First, if there are less intrusive ways to achieve the stated purpose of processing biometric data, the less intrusive methods should be used instead.
• If the employer still needs to go ahead with processing biometric data, it should seek the 'explicit consent' of employees before doing so. In particular, employees should be given the opportunity to refuse consent without detriment and be offered a suitable alternative.
• If consent is not suitable and/or a genuine choice cannot be provided to employees, a separate lawful basis can be relied on if it is ‘necessary’ to achieve the overall purpose. However, given the ICO's approach in the Serco Leisure case, this is likely to be a very high bar requiring substantive supporting evidence.
• In any event, employers should ensure appropriate policies and procedures are in place before putting in place any monitoring e.g. to ensure system accuracy, transparency and security, minimise possible discrimination, and explain how the employer will deal with data subject access requests.
• Data protection impact assessments (DPIA) will also be required. For more information on DPIAs, see the ICO's website.