In a hyper-connected world heavily reliant on technology, the
use of biometric data for employee attendance monitoring is growing
in popularity as a practice across various industries.
Notwithstanding the convenience tech can bring when it comes to
monitoring productivity and attendance, a recent incident involving
Serco, a major leisure centre operator, forces us all to take a
step back and reflect on such practices. It highlights the
importance of finding the right balance between innovation and
respecting personal privacy when implementing such technologies
into the workplace.
On February 23, 2024, the UK Information Commissioner’s
Office (the “ICO”) reported that it had ordered public
service providers Serco Leisure, Serco Jersey and associated
community leisure trusts (jointly, “the Companies”) to
stop using facial recognition technology (“FRT”) and
fingerprint scanning (“FS”) to monitor employee
attendance and subsequent payment for their time. This decision
came after the ICO found that the biometric data of more than 2,000
employees had been unlawfully processed at 38 facilities managed by
Serco Leisure. 1
Background
In May 2017, Serco implemented biometric technology across 38
leisure facilities it operated. The decision stemmed from concerns
about the vulnerability of previous attendance monitoring systems
to abuse. Serco identified manual sign-in sheets as prone to human
error and susceptible to abuse by a minority of employees.
Additionally, misuse of ID cards by employees further necessitated
a more robust system. Consequently, Serco believed that adopting
biometric technology was the most effective way to address these
issues.2
To substantiate this decision, Serco conducted both a data protection impact assessment (DPIA) and a
legitimate interest assessment (LIA). These assessments identified
the legal bases for processing biometric data under Articles
6(1)(b) and (f) of the UK General Data Protection Regulation (UK
GDPR),3 with relevance to the special category personal
data condition outlined in Article 9(2)(b). Notably, similar
provisions exist in Nigeria’s Data Protection Act of 2023 as can be seen in
Section 25b(I) and (V) of the Act.4
Article 6(1)(b) was invoked on the grounds that operating the
attendance monitoring system was deemed necessary for compliance
with employees’ employment contracts. Meanwhile, Article
6(1)(f) was chosen in relation to Serco’s legitimate interests,
presumably tied to the broader objectives of the attendance
monitoring system and the transition to biometric data usage.
Serco also cited Article 9(2)(b) as the basis for processing
biometric data, asserting that it was required to comply with
various employment, social security, and social protection laws.
These laws included regulations pertaining to working time, the
national living wage, the right to work, and tax/accounting
obligations.
The contravention
Despite Serco’s justifications, the ICO determined that the
company, acting as a controller, had failed to establish
appropriate lawful bases and conditions for processing biometric
data. Consequently, Serco was found in breach of Articles 5(1)(a),
6, and 9 of the UK GDPR.5 Prior to issuing the
Enforcement Notice on February 23, 2024,6 the ICO
had served Serco with a Preliminary Enforcement Notice in November
20237, allowing the company to provide written
representations.
The Enforcement Notice mandated Serco to cease all processing of
biometric data for employment attendance checks at its facilities
and prohibited the implementation of biometric technology at any
future facilities. Furthermore, Serco was instructed to destroy all
biometric data and other personal/special category data not legally
obligated to retain.
This incident raises several key considerations regarding the
use of biometric data and technology deployment in the
workplace:8
- Legal Compliance: The ICO’s enforcement action underscores
the necessity for organisations to ensure compliance with data protection regulations when implementing
biometric technologies. Despite Serco’s assertion that it
followed external legal advice, the ICO found that the company
failed to adequately consider the risks and provide alternatives
for employees who were uncomfortable with biometric data
collection. - Employee Consent and Privacy: The ICO criticised Serco for not
proactively offering employees alternatives to facial recognition
and fingerprint scanning. This lack of choice creates a power
imbalance in the workplace and raises concerns about individual
privacy rights. Employers must prioritise obtaining informed
consent from employees before collecting and processing biometric
data, ensuring transparency and respect for privacy
preferences. - Ethical Considerations: The incident underscores broader
ethical considerations surrounding the use of biometric technology
for surveillance purposes. While these technologies offer
convenience and efficiency, they also pose risks to individual
privacy and autonomy. Employers must carefully weigh the benefits
of biometric data collection against the potential harms and
consider alternative methods of attendance monitoring that minimize
intrusiveness. - Regulatory Oversight: The ICO’s intervention highlights the
need for robust regulatory oversight to govern the use of biometric
data in the workplace. As technology evolves rapidly, regulatory
frameworks must adapt to address emerging privacy concerns and
safeguard individual rights. Organisations should stay abreast of
regulatory developments and proactively engage with regulators to
ensure compliance with evolving standards. - Transparency and Accountability: Transparency and
accountability are essential when deploying biometric technologies
in the workplace. Employers must clearly communicate the purposes
of biometric data collection, the methods used, and the safeguards
in place to protect employee privacy. Additionally, mechanisms for
accountability and redress should be established to address
concerns and complaints from employees regarding the handling of
their biometric data.
In response to the ICO’s enforcement notice, Serco Leisure
emphasized its commitment to complying with regulatory requirements
and respecting employee privacy. However, the incident serves as a
reminder to organisations across industries of the importance of
approaching biometric data usage with caution and
diligence.9
As technology continues to advance, organisations must
prioritize data privacy concerns and address the complex
intersection of innovation, privacy, and ethics. Given the
proactive approach of the Nigerian Data Protection Commission so
far and the possible influence the Serco case may have on the
Commission, the Serco case is also a call to action for Nigerian
organisations to review their data protection compliance regarding
the use of biometric data in the workplace. By reviewing legal
compliance frameworks, engaging in proper training, obtaining
explicit employee consent, considering ethical implications,
ensuring regulatory oversight, and promoting transparency,
businesses can harness the benefits of biometric technologies while
upholding individual rights and privacy principles in the
workplace.10
Footnotes
1. ICO orders Serco Leisure to stop using facial
recognition accessed on 18th March 2024 from
technologyhttps://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/02/ico-orders-serco-leisure-to-stop-using-facial-recognition-technology/
2. James Clark UK: Enforcement Against the Use of
Biometrics in the Workplace accessed on 19 March 2024 from
https://www.lexology.com/library/detail.aspx?g=3199335b-e79c-4131-8a34-6f4b0f9b3a2d
3. Articles 6(1)(b) and (f) of the UK General Data
Protection Regulation
4. Section 25b(I) and (V) of the Nigeria Data Protection
Act 2023
5. Articles 5(1)(a), 6, and 9 of the UK General Data
Protection Regulation.
6. ICO Enforcement Notice on February 23, 2024, from
https://ico.org.uk/action-weve-taken/enforcement/
7. ICO Preliminary Enforcement Notice in November 2023
from
https://ico.org.uk/media/action-weve-taken/foi-enforcement-notices/4026119/mod-enforcement-notice.pdf
8. Ibid
9. norm. Data Protection Bulletin – November 3,
2023 ICO serves enforcement notice for using AI without
considering data protection obligations accessed on 19 March 2024
from https://www.normcyber.com : norm.
10. Ibid
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Walking #Ethical #Tightrope #Balancing #Employee #Data #Privacy #Rights #Productivity #Demands #Biometric #Data #Technology #Deployment #Insights #Serco #Incident #Privacy #Protection