Biometric data and the impact of the ICO's latest Enforcement Notice

The ICO has today issued an Enforcement Notice (EN) against Serco Limited (Serco) in respect of Serco’s processing of biometric data in contravention of the UK General Data Protection Regulation (UK GDPR).

Background

Serco operates various leisure facilities across the UK on behalf of leisure trusts. Serco implemented facial recognition technology (FRT) at 38 such facilities, and used this technology to process employee personal and special category data to monitor employee attendance.

Serco acted as a joint controller with some of the leisure trusts (and, in one instance, with Serco (Jersey) Limited (SJL)) in operating and managing the facilities; the ICO issued similar ENs to those trusts and SJL.

The ICO received one complaint in relation to Serco’s use of FRT systems at the facilities, but the investigation was triggered by an ICO employee who observed FRT in use at one of the facilities.

Contraventions

The ICO found that Serco, the relevant trusts and SJL had contravened Articles 5, 6 and 9 of the UK GDPR, and ordered them to cease all processing of biometric data and delete any biometric data held within the FRT systems.

 Article 6: Lawful basis for processing

Serco sought to rely on Articles 6(1)(b) (contractual necessity) and 6(1)(f) (legitimate interests) as the lawful bases for processing employees’ biometric data.

In relation to contractual necessity, the ICO agreed that recording employee attendance was necessary for Serco to pay employees in accordance with its contractual obligations. However, it does not follow that it is necessary to process biometric data to fulfil these purposes. There were less intrusive means available to monitor employee attendance, such as RFID cards or manual timesheets, and the ICO considered that Serco had not adequately demonstrated why these were not adequate or appropriate. Serco had stated that these options were open to abuse, but did not provide any evidence of widespread actual abuse, or adequately explain why other methods were not appropriate. Therefore, this lawful basis ultimately failed.

Serco’s legitimate interests argument failed for similar reasons; Serco was unable to demonstrate that the processing of biometric data was “necessary” to fulfil the legitimate interest of ensuring that Serco was paying its staff correctly.

The ICO also considered that Serco had failed to give appropriate weight to the interests of data subjects when conducting the balancing test required to rely on legitimate interests; processing of biometric data has a substantial privacy impact and this was not adequately taken into account. The ICO also noted that Serco had not provided clear mechanisms for employees to opt out of the processing of their biometric data, or alternative options if they did not want their biometric data to be processed.

Article 9: Special category data processing condition

Serco sought to rely on Article 9(2)(b) as its special category data processing condition, i.e. the processing was necessary to carry out employment law obligations. The EN notes that Serco failed to identify the specific laws it was seeking to rely on as an employer, either in its DPIA or during the course of the investigation. It was only later, in Serco’s representations to the ICO, that Serco identified the Working Time Regulations 1998 and Employment Rights Act 1996 as the relevant legal obligations for the purposes of Article 9(2)(b).

The EN is clear that, in line with ICO guidance, Article 9(2)(b) does not cover processing to meet purely contractual rights or obligations; taking this into account, along with Serco’s failure to identify the applicable laws at the outset of the processing, the ICO did not consider that Article 9(2)(b) was an appropriate processing condition.

The ICO also noted that:

• Serco failed to demonstrate that its processing of biometric data was “necessary” for employee attendance monitoring; and
• Serco had not produced an appropriate policy document as required by Schedule 1, Paragraph 1(1)(b) of the Data Protection Act 2018.

Therefore, Article 9(2)(b) was not an appropriate processing condition.

Article 5: Fair and lawful processing

On the basis above, the ICO considered that Serco had failed to establish a lawful basis and processing condition under Articles 6 and 9 for its processing of biometric data. As such, Serco (and, as joint controllers, the relevant trusts and SJL) had therefore failed to process biometric data lawfully in line with Article 5(1)(a).

Serco had also breached its Article 5(1)(a) obligation to process personal data fairly. The ICO noted that the processing of biometric data is highly intrusive and has the potential to cause distress to data subjects. Employees were not provided with clear alternative mechanisms to log attendance; in fact, employees had been told that they were “expected” to use the FRT systems and they could be subject to disciplinary action if they refused to use it.

Key takeaways

Biometric technology is on the rise, and any organisation considering implementing biometric technology for the purpose of employee attendance should be aware of the following:

1 The assessment of “necessity” is key, and whether there are less intrusive means to achieve the purpose for processing is a crucial part of this assessment. It is not enough simply to list other means that have been considered; it must be clear why these have not been considered appropriate, with reference to specific evidence as to why this is the case.

2 Reliance on Article 9(2)(g), where processing is necessary to carry out employment law rights and obligations, is dependent on clearly and specifically identifying the laws which confer the relevant right or obligation requiring the processing of personal data.

3 When relying on legitimate interests, employees must have clear and easily accessible ways to object to the processing. In the context of biometric data, it is likely to be appropriate to offer alternative methods for employees to fulfil the relevant purposes, rather than making it mandatory for employees to hand over biometric data.

4 It is vital to ensure that data protection impact assessments and (where required) legitimate interests assessments are robust and completed prior to processing taking place; one of the points made by the ICO in the EN is that Serco’s LIA was conducted after the FRT had been rolled out and following the commencement of the ICO’s investigation.

5 Appropriate policy documents must not be forgotten about! Many special category personal data processing conditions require one, so this is a key part of the compliance framework for any organisation processing biometric data for employee monitoring purposes.

If you would like to discuss your organisation’s use of biometric data or any form of employee monitoring, please do get in touch.

Contributors: Emma Erskine-Fox and Lacey Hill

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at February 2024. Specific advice should be sought for specific cases. For more information see our terms & conditions.