Biometric data in the workplace

A best practice guide for employers

In a landmark development addressing data protection and workplace surveillance, the Information Commissioner’s Office (ICO) recently intervened with Serco Leisure, instructing them to halt the use of facial recognition technology and fingerprint scanning for employee attendance monitoring.

This is significant as it is the first time that the ICO has taken enforcement action against an employer for its processing of biometric data.

As biometric scanning becomes increasingly prevalent, it is important to remember that there are inherent risks associated with the collection and processing of biometric data. Unlike traditional passwords, biometric identifiers such as fingerprints or facial features are unique to individuals and cannot be reset, amplifying the consequences of security breaches. The unique and irrevocable nature of biometric data underscores the need for robust safeguards and careful consideration before its deployment.

In Serco Leisure’s case, concerns were raised regarding the necessity and proportionality of the measures adopted. Being able to justify the processing of biometric data, especially where less intrusive alternatives exist is essential. Additionally, employees should be proactively offered clear alternatives to biometric monitoring.

Guidance from the ICO outlines specific steps and considerations that must be addressed before implementing biometric monitoring systems. Compliance with these requirements is vital to ensure the protection of employee privacy and data security.

Here are some key steps to consider before rolling out biometric monitoring systems:

• Identify the purpose for the intended use of the biometric data.
• Evaluate the necessity of the processing and document the reasons for choosing it over less intrusive methods.

Consider conducting a comprehensive Data Protection Impact Assessment (DPIA) involving input from the data subjects or their representatives. A DPIA is likely to be necessary for the processing of biometric data, as you are required to assess new technologies likely to result in a high risk to the rights and freedoms of individuals. The specific requirements are set out in Article 35(3) of the UK GDPR.

You need to establish a lawful basis for any type of personal data processing. There are six available bases, detailed within Article 6 of the UK GDPR. If you are struggling to decide which to use for this monitoring, the ICO has created a tool to help you to determine the most appropriate lawful basis.

If you are capturing biometric data to uniquely identify individuals it is classed as special category data and, as such, you will also need to identify a further separate special category condition for the processing as outlined within Article 9 of the UK GDPR.

If you are considering relying on consent as your lawful basis, remember that there is an imbalance of power between an employer and an employee. As a result, employers need to consider whether consent is an appropriate lawful basis to rely on. If used, there must be a real choice and employees must be able to refuse or withdraw their consent. An employee refusing or withdrawing their consent must not be put at a disadvantage.

If, following the completion of a DPIA you decide to proceed with the monitoring, you should:

• implement mechanisms for a manual review in case data subjects encounter automatic errors or denials;
• adhere to principles of accuracy and fairness, identifying and mitigating risks to these principles;
• document the personal data processed and communicate within clear privacy notices outlining how the system works, the personal data collected, how the data will be used, and the nature and purpose of the monitoring;
• consider international transfer rules if applicable;
• comply with additional requirements under Article 22 of the UK GDPR for automated decision-making processes if applicable;
• implement robust security measures to protect collected biometric data;
• keep the processing under review to ensure continued compliance with the DPIA.

For organisations already using or considering biometric monitoring systems, seeking guidance and support from experts is crucial to ensuring compliance with regulations and best practices at every stage of the process. Contact us for detailed advice on how to navigate the complexities of biometric monitoring while upholding employee privacy and data security rights.