British leisure businesses are reviewing use of controversial biometric technology to monitor staff attendance after a clampdown from the UK’s data regulator.
Back in February, the Information Commissioner’s Office (ICO) ordered public service provider Serco Leisure and its trusts to stop using facial recognition technology and fingerprint scanning to monitor employee attendance.
The regulator investigated the company and found it was “unlawfully” processing the biometric data of more than 2,000 employees at 38 leisure facilities.
Speaking at the time, John Edwards, UK Information Commissioner described biometric data as “wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.”
Commenting at the time, Samantha Owen, senior solicitor at Harper James said the “ICO has a tough stance on unauthorised employee monitoring, and this enforcement notice sends a clear message.”
Now, other similar companies are starting to review the biometric systems used to monitor their own staff in light of the regulators clampdown on Serco.
According to the Guardian, leisure club operator Virgin Active said it had pulled biometric scanners from 32 of its sites and was working on an alternative for staff. A spokesperson told the paper “we are working on this as a priority and the change has been communicated to all clubs already.”
The risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password.
John Edwards, UK Information Commissioner
Now, this is not just a UK issue, earlier this year, Amazon France Logistique was fined €32m by the French Data Protection Authority for implementing an overly intrusive system to monitor employee activity and performance.
While the AI Act, which recently received approval from the European Parliament, prohibits controlled use of real-time biometric ID in public spaces.
Speaking to City A.M., Hannah Petit, data associate at law firm Ashfords stated that “monitoring can be a useful tool for employers wanting to track employee activity… however, as monitoring will inherently involve the processing of the personal data of employees and workers, it is important to ensure that the methods used are compliant with data protection legislation.”
She explained that the law requires employers to carry out a data protection impact assessment (DPIA) to assess the necessity and proportionality of data processing activities they are planning to undertake in certain situations.
“This covers points such as whether monitoring is appropriate, why they are considering it, any impact it may have on employees and whether alternative methods have been considered,” she added.
Petit noted that “workplace monitoring should be used with caution, and reasonable expectations of workers should be an important factor in any decision to implement workplace monitoring.” Her example is to provide staff with the option of a swipe card if they are not comfortable with having biometric data stored.
“Ultimately, it will only be appropriate where it is necessary and proportionate. If it is neither, or if there are less intrusive ways for an employer to achieve its aims or satisfy its business interests, then workplace monitoring should be avoided,” she concluded.
