Privacy Watchdog Cracks Down on Biometric Employee Tracking

A private company that runs dozens of British community leisure centers must stop tracking employees using facial recognition and fingerprint scanning.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The U.K. Information Commissioner’s Office found Serco Leisure and seven trusts with which it works were “unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time.”

Serco Leisure, based in Leicester, England, manages a number of leisure centers – roughly analogous to U.S. rec centers – including 37 in England and one on the Channel Island of Jersey that were the focus of the regulator’s probe. The limited company is fully owned by publicly traded British multinational Serco, which earned $5.7 billion in 2021 revenue.

The company faces no fine, provided it complies with the notice. “We take this matter seriously and confirm we will fully comply with the enforcement notice,” a Serco spokesperson told Information Security Media Group in a statement.

The ICO on Friday published new guidance for any organization considering using biometric recognition, meaning using “biometric data to uniquely identify someone.” The regulator said its guidance is due in part to the term not being defined by current data protection laws.

In Serco’s case, the ICO said Friday that the company failed to demonstrate why using facial recognition technology and fingerprint scanning was “necessary or proportionate,” and said by doing so it violated the U.K. General Data Protection Regulation.

“Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater – you can’t reset someone’s face or fingerprint like you can reset a password,” said U.K. Information Commissioner John Edwards. “Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritizing business interests over its employees’ privacy.”

The ICO served Serco with a preliminary enforcement notice over the matter on Nov. 7, 2023.

Questions over the extent to which employers can monitor employees surged during the pandemic. Many of those queries centered on presence monitoring, especially as once office-bound companies were forced to let employees work remotely.

Serco’s use of biometrics predated the pandemic. For leisure center employees to clock in and out, the company first began using facial recognition technology made by SWT Software Limited, trading as ShopWorks, in May 2017 when it began operating a site that already used it. The company further trialed the technology for other leisure center employees in 2018, and rolled it out in a more widespread manner in 2019 and November 2022.

The Serco spokesperson said the company vetted the new system with employees and that “the introduction also followed external legal advice which said use of the technology was permitted.” The company said it welcomed “the publication of new guidance for organizations on processing of biometric data which we anticipate will provide greater clarity in this area.”

According to the ICO’s investigation, the ShopWorks facial recognition equipment registers employees by taking three pictures of their face and using them to “to create a biometric map based on the employee’s facial features,” stored in encrypted form, together with their employee ID number. When an employee clocks in or out, after the system confirms their identity, it doesn’t send the biometric data to a ShopWorks server, but rather only the time and employee ID number, confirming their identity was verified.

The privacy watchdog first began investigating Serco’s use of biometrics in 2019, after receiving a complaint. Following the ICO’s inquiries, Serco in 2020 produced both a data protection impact assessment and legitimate interests assessment, assessing that using biometrics was a contractual necessity and in employees’ legitimate interest.

After conducting a full investigation, the regulator disagreed, saying Serco’s conclusions showed “a lack of understanding” of the country’s data protection requirements. “There are less intrusive means available such as ID cards or fobs,” although the company offered employees no such options, the ICO said.

“Due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks,” the ICO said.

Serco told the ICO it introduced biometrics checks to counter abuse of previous clock-in and clock-out approaches, which included “buddy punching,” involving radio-frequency identification cards being kept in communal areas and used inappropriately, as well as “falsified time cards,” referring to the fraudulent use of manual sign-in sheets.

“Serco did not provide any figures or evidence indicating the number of employees abusing the system,” the ICO said.