In a hyper-connected world heavily reliant on technology, the use of biometric data for employee attendance monitoring is growing in popularity as a practice across various industries. Notwithstanding the convenience tech can bring when it comes to monitoring productivity and attendance, a recent incident involving Serco, a major leisure centre operator, forces us all to take a step back and reflect on such practices. It highlights the importance of finding the right balance between innovation and respecting personal privacy when implementing such technologies into the workplace.
On February 23, 2024, the UK Information Commissioner’s Office (the “ICO”) reported that it had ordered public service providers Serco Leisure, Serco Jersey and associated community leisure trusts (jointly, “the Companies”) to stop using facial recognition technology (“FRT”) and fingerprint scanning (“FS”) to monitor employee attendance and subsequent payment for their time. This decision came after the ICO found that the biometric data of more than 2,000 employees had been unlawfully processed at 38 facilities managed by Serco Leisure. [1]
Background
In May 2017, Serco implemented biometric technology across 38 leisure facilities it operated. The decision stemmed from concerns about the vulnerability of previous attendance monitoring systems to abuse. Serco identified manual sign-in sheets as prone to human error and susceptible to abuse by a minority of employees. Additionally, misuse of ID cards by employees further necessitated a more robust system. Consequently, Serco believed that adopting biometric technology was the most effective way to address these issues.[2]
To substantiate this decision, Serco conducted both a data protection impact assessment (DPIA) and a legitimate interest assessment (LIA). These assessments identified the legal bases for processing biometric data under Articles 6(1)(b) and (f) of the UK General Data Protection Regulation (UK GDPR),[3] with relevance to the special category personal data condition outlined in Article 9(2)(b). Notably, similar provisions exist in Nigeria’s Data Protection Act of 2023 as can be seen in Section 25b(I) and (V) of the Act.[4]
Article 6(1)(b) was invoked on the grounds that operating the attendance monitoring system was deemed necessary for compliance with employees’ employment contracts. Meanwhile, Article 6(1)(f) was chosen in relation to Serco’s legitimate interests, presumably tied to the broader objectives of the attendance monitoring system and the transition to biometric data usage.
Serco also cited Article 9(2)(b) as the basis for processing biometric data, asserting that it was required to comply with various employment, social security, and social protection laws. These laws included regulations pertaining to working time, the national living wage, the right to work, and tax/accounting obligations.
The contravention
Despite Serco’s justifications, the ICO determined that the company, acting as a controller, had failed to establish appropriate lawful bases and conditions for processing biometric data. Consequently, Serco was found in breach of Articles 5(1)(a), 6, and 9 of the UK GDPR.[5] Prior to issuing the Enforcement Notice on February 23, 2024, [6]the ICO had served Serco with a Preliminary Enforcement Notice in November 2023[7], allowing the company to provide written representations.
The Enforcement Notice mandated Serco to cease all processing of biometric data for employment attendance checks at its facilities and prohibited the implementation of biometric technology at any future facilities. Furthermore, Serco was instructed to destroy all biometric data and other personal/special category data not legally obligated to retain.
This incident raises several key considerations regarding the use of biometric data and technology deployment in the workplace:[8]
- Legal Compliance: The ICO’s enforcement action underscores the necessity for organisations to ensure compliance with data protection regulations when implementing biometric technologies. Despite Serco’s assertion that it followed external legal advice, the ICO found that the company failed to adequately consider the risks and provide alternatives for employees who were uncomfortable with biometric data collection.
- Employee Consent and Privacy: The ICO criticised Serco for not proactively offering employees alternatives to facial recognition and fingerprint scanning. This lack of choice creates a power imbalance in the workplace and raises concerns about individual privacy rights. Employers must prioritise obtaining informed consent from employees before collecting and processing biometric data, ensuring transparency and respect for privacy preferences.
- Ethical Considerations: The incident underscores broader ethical considerations surrounding the use of biometric technology for surveillance purposes. While these technologies offer convenience and efficiency, they also pose risks to individual privacy and autonomy. Employers must carefully weigh the benefits of biometric data collection against the potential harms and consider alternative methods of attendance monitoring that minimize intrusiveness.
- Regulatory Oversight: The ICO’s intervention highlights the need for robust regulatory oversight to govern the use of biometric data in the workplace. As technology evolves rapidly, regulatory frameworks must adapt to address emerging privacy concerns and safeguard individual rights. Organisations should stay abreast of regulatory developments and proactively engage with regulators to ensure compliance with evolving standards.
- Transparency and Accountability: Transparency and accountability are essential when deploying biometric technologies in the workplace. Employers must clearly communicate the purposes of biometric data collection, the methods used, and the safeguards in place to protect employee privacy. Additionally, mechanisms for accountability and redress should be established to address concerns and complaints from employees regarding the handling of their biometric data.
In response to the ICO’s enforcement notice, Serco Leisure emphasized its commitment to complying with regulatory requirements and respecting employee privacy. However, the incident serves as a reminder to organisations across industries of the importance of approaching biometric data usage with caution and diligence.[9]
As technology continues to advance, organisations must prioritize data privacy concerns and address the complex intersection of innovation, privacy, and ethics. Given the proactive approach of the Nigerian Data Protection Commission so far and the possible influence the Serco case may have on the Commission, the Serco case is also a call to action for Nigerian organisations to review their data protection compliance regarding the use of biometric data in the workplace. By reviewing legal compliance frameworks, engaging in proper training, obtaining explicit employee consent, considering ethical implications, ensuring regulatory oversight, and promoting transparency, businesses can harness the benefits of biometric technologies while upholding individual rights and privacy principles in the workplace.[10]
References
[1] ICO orders Serco Leisure to stop using facial recognition accessed on 18th March 2024 from technologyhttps://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/02/ico-orders-serco-leisure-to-stop-using-facial-recognition-technology/
[2] James Clark UK: Enforcement Against the Use of Biometrics in the Workplace accessed on 19 March 2024 from https://www.lexology.com/library/detail.aspx?g=3199335b-e79c-4131-8a34-6f4b0f9b3a2d
[3] Articles 6(1)(b) and (f) of the UK General Data Protection Regulation
[4] Section 25b(I) and (V) of the Nigeria Data Protection Act 2023
[5] Articles 5(1)(a), 6, and 9 of the UK General Data Protection Regulation.
[6] ICO Enforcement Notice on February 23, 2024, from https://ico.org.uk/action-weve-taken/enforcement/
[7] ICO Preliminary Enforcement Notice in November 2023 from https://ico.org.uk/media/action-weve-taken/foi-enforcement-notices/4026119/mod-enforcement-notice.pdf
[8] Ibid
[9] norm. Data Protection Bulletin – November 3, 2023 ICO serves enforcement notice for using AI without considering data protection obligations accessed on 19 March 2024 from https://www.normcyber.com › norm.
[10] Ibid