Government outsourcer Serco has been ordered to cease the use of facial recognition tech and fingerprint scans when monitoring employees.
Britain’s information watchdog on Friday ruled the FTSE 250 firm must change the way it monitors the attendance of more than 2,000 employees at 38 leisure facilities across the country, and destroy what data it current has.
The Information Commissioner’s Office (ICO) said Serco could not prove it ‘necessary or proportionate’ to use FRT and fingerprint scanning in place of other means like ID cards or fobs.
Erdington Leisure Centre in Birmingham is one of the leisure facilities operated by Serco, which runs similar businesses on behalf of community leisure trusts, local authorities and Sport England.
Serco now has three months to scrap the use of the invasive technology or it risks a fine of up to £17.5million or 4 per cent of turnover – the group made £4.6billion in revenues last year.
John Edwards, UK Information Commissioner, said: ‘Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.
‘This is neither fair nor proportionate under data protection law, and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully.’
The group operates leisure facilities on behalf of community leisure trusts, local authorities and Sport England.
The ICO’s order applies to the group’s Serco Leisure and Serco Jersey units, as well as seven community trusts involved in the management of the facilities; Birmingham Community Leisure Trust, Bolton Community Leisure, Shropshire Community Leisure Trust, More Leisure Community Trust, Northern Community Leisure Trust, Maidstone Leisure Trust, and Swale Community Leisure.
Its investigation found that employees at the leisure facilities were not offered an alternative method of monitoring – and FRT and fingerprint scans were a requirement for payment.
The ICO said: ‘Due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks.’
The report of the watchdog’s investigation reveals one employee opted to complain to management about the use of FRT, but was knocked back with no offer of an alternative.
Serco instead offered to arrange a meeting between the employee and a representative of the company that makes the technology – ShopWorks – ‘to discuss privacy concerns’.
The data subject was informed that they would ‘be required to use the ShopWorks… system’ on their return to work.
A Serco Leisure spokesman said: ‘We value the hard work of all our team members delivering services for our customers.
‘This technology was introduced at the leisure centres we manage nearly five years ago to make clocking-in and out easier and simpler for colleagues.
‘We engaged with our team members in advance of its roll-out and its introduction was well-received by colleagues. The introduction also followed external legal advice which said use of the technology was permitted.
‘Despite being aware of Serco Leisure’s use of this technology for some years, the ICO have only this week issued an enforcement notice and requested that we take action.
‘We now understand this coincides with the publication of new guidance for organisations on processing of biometric data which we anticipate will provide greater clarity in this area.
‘We take this matter seriously and confirm we will fully comply with the enforcement notice.’