Government subcontractor Serco has been ordered to stop using facial recognition technology and fingerprint scans when monitoring employees.
Britain’s information watchdog ruled on Friday that the FTSE 250 company must change the way it monitors the attendance of more than 2,000 employees at 38 leisure facilities across the country and destroy the data it currently holds.
The Information Commissioner’s Office (ICO) said Serco could not demonstrate that it was “necessary or proportionate” to use FRT and fingerprint scanning instead of other means such as ID cards or key fobs.
Erdington Leisure Center in Birmingham is one of the leisure facilities managed by Serco, which runs similar businesses on behalf of community leisure trusts, local authorities and Sport England.
Serco now has three months to abandon its use of the invasive technology or risk being fined up to £17.5m or 4 per cent of its turnover – the group made £4.6bn in revenue on last year.
John Edwards, UK Information Commissioner, said: “Biometric data is completely unique to each individual, so the risks of harm from inaccuracies or a security breach are much greater – the identity cannot be restored. face or fingerprint of a person how to reset a password.
“This is neither fair nor proportionate under data protection law and, as a UK regulator, we will scrutinize organizations closely and act decisively if we believe biometric data is being used unlawfully.”
The group operates leisure facilities on behalf of community leisure trusts, local authorities and Sport England.
The ICO order applies to the group’s Serco Leisure and Serco Jersey units, as well as seven community trusts involved in the management of the facilities; Birmingham Community Leisure Trust, Bolton Community Leisure Trust, Shropshire Community Leisure Trust, More Leisure Community Trust, Northern Community Leisure Trust, Maidstone Leisure Trust and Swale Community Leisure.
Their investigation found that employees at leisure facilities were not offered an alternative method of tracking, and FRT and fingerprint scanning were a requirement for payment.
The ICO said: “Due to the power imbalance between Serco Leisure and its employees, it is unlikely that they will feel able to say no to the collection and use of their biometric data for attendance checks.”
The watchdog’s investigation report reveals that one employee chose to complain to management about the use of FRT, but was rejected without being offered any alternative.
Instead, Serco offered to arrange a meeting between the employee and a representative of the company that makes the technology (ShopWorks) “to discuss privacy issues.”
The individual was informed that he “should use the ShopWorks system…” when he returned to work.
A Serco Leisure spokesperson said: ‘We value the hard work of all our team members in providing services to our customers.
‘This technology was introduced in the leisure centers that we manage almost five years ago to facilitate and simplify the signing in and out of colleagues.
‘We communicated with our team members before its launch and its presentation was well received by colleagues. The introduction also followed external legal advice saying the use of the technology was permitted.
‘Despite being aware of Serco Leisure’s use of this technology for some years, the ICO has only this week issued a compliance notice and asked us to take action.
‘We now understand that this coincides with the publication of new guidance for organizations on the processing of biometric data which we anticipate will provide greater clarity in this area.
“We take this matter seriously and confirm that we will fully comply with the enforcement notice.”