Biometric worker monitoring: new draft guidance for the UK

An overhaul of worker monitoring has been released, in draft form, by the UK’s data protection regulator, the Information Commissioner’s Office (ICO), to address the significant changes to the way we work since its current employment practices code was published in 2011. The Covid-19 was a further acceleration, seeing more analytics and biometric tracking of workers.

The draft guidance is presented for feedback by 11 January 2023 and aims to provide practical advice as well as help employers conducting monitoring to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, both of which are facing significant reform. Neither prevents worker monitoring.

The guidance covers general principles such as balancing intrusion against the needs of the employer, workers and public; workers must be made aware of monitoring (except exceptional circumstances for covert approaches); data cannot be used for other purposes and data protection impact assessments (DPIA) must be carried out.

Biometric worker monitoring guidance

The draft guidance comes from a position of encouraging employers to question their own reasons for wanting to use biometrics in the first place, and whether such use would be deemed proportionate: employers must “document the evidential basis for choosing to rely on biometric data, including any consideration of other less intrusive means and why they are inadequate.”

Employers must also identify a lawful basis for their implementation of biometrics (there is a choice of six bases). As special category data, the collection of biometrics requires the identification of a special category, with guidance provided.

UK GDPR further protects workers if any automated decision-making has legal or other significant effects on workers. Explicit worker consent is required.

“This is the most likely gateway for using biometric data for access control but it may be difficult to get true consent due to the power imbalance between workers and employers,” states the draft guidance. “You must offer an alternative to workers who do not want to give consent so they have free choice. The alternative must not be a detriment to workers choosing to use it, you must consider whether explicit consent can be genuine where a manual option takes longer.”

Systems such as facial recognition require specific consent and a system that scans all workers regardless of whether or not they have consented would be unlawful.

DPIAs are compulsory and must contain the justifications already worked out. Data must be kept more securely, with further advice available.

Once operational for access, manual reviews of false negatives from biometric sensors must be available and must not be of detriment to the workers.

Elsewhere the draft guidance notes that “If you are monitoring workers remotely, keep in mind that workers’ expectations of privacy are likely to be higher at home than in the workplace. The risks of capturing family and private life information are higher, so you should factor this risk into your planning.”

Article Topics

biometric identifiers  |  biometrics  |  data privacy  |  digital identity  |  facial recognition  |  Information Commissioner’s Office (ICO)  |  regulation  |  surveillance  |  UK  |  workforce management