UK ICO issues warning on biometric employee tracking, guidance for businesses
The UK Information Commissioner’s Office (ICO) has warned community and fitness center operator Serco Leisure that facial recognition and fingerprint biometrics cannot be used to monitor employees’ time and attendance.
The regulator posted a notice of its warning to Serco “and seven associated leisure trusts,” stating that the use of biometrics was not proportionate, and no alternative method was offered. They must end the practice and delete the biometric data collected within three months.
Serco used biometrics to track the time and attendance of more than 2,000 employees at 38 facilities for multiple years.
The facilities operators notified of non-compliance by the ICO are Serco Leisure, Serco Jersey, Birmingham Community Leisure Trust, Bolton Community Leisure, Shropshire Community Leisure Trust, More Leisure Community Trust, Northern Community Leisure Trust, Maidstone Leisure Trust and Swale Community Leisure.
“This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve,” says Information Commissioner John Edwards.
“Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”
A Serco representative told Health Club Management that it will abide by the ICO’s decision, but noted that the regulator has been aware of its use of biometrics “for some years.” The notice coincides with the publication of new guidance from the ICO on businesses’ use of biometrics, the representative pointed out. The trade publication does not appreciate the ICO issuing a press release that singles out Serco.
New biometrics guidance published
The ICO published its latest guidance for businesses considering implementing biometrics on Friday, the same day as the notice to Serco.
It defines personal information, biometric data and special category biometric data. Processes are described for deciding if it is appropriate to use biometrics, data protection impact assessments and lawful biometrics processing. Obligations for dealing with data requests and securing customer and employee data are outlined.
The guidance does not apply to law enforcement or security agencies.
Guidance specifically on biometric employee management was published by the ICO last year.
Article Topics
biometric monitoring | biometrics | data privacy | Information Commissioner’s Office (ICO) | regulation | workforce management
Comments