The ICO exists to empower you through information.

  • Regulator issues enforcement notices ordering Serco Leisure and community leisure trusts to stop using FRT and fingerprint scanning to monitor workers’ attendance
  • Employees are not offered a clear alternative to having their faces and fingerprints scanned to clock in and out of the workplace
  • Warning comes as the ICO today publishes new guidance for organisations on processing biometric data lawfully 

The Information Commissioner’s Office (ICO) has ordered public service provider Serco Leisure, Serco Jersey and seven associated community leisure trusts to stop using facial recognition technology (FRT) and fingerprint scanning to monitor employee attendance. 

The ICO’s investigation found that Serco Leisure and the trusts have been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities for the purpose of attendance checks and subsequent payment for their time. 

They failed to show why it is necessary or proportionate to use FRT and fingerprint scanning for this purpose, when there are less intrusive means available such as ID cards or fobs.

Employees have not been proactively offered an alternative to having their faces and fingers scanned to clock in and out of their place of work, and it has been presented as a requirement in order to get paid. Due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks.

The ICO has now issued enforcement notices instructing Serco Leisure and the trusts to stop all processing of biometric data for monitoring employees’ attendance at work, as well as to destroy all biometric data that they are not legally obliged to retain. This must be done within three months of the enforcement notices being issued.

John Edwards, UK Information Commissioner, said:

"Biometric data is wholly unique to a person so the risks of harm in the event of inaccuracies or a security breach are much greater - you can't reset someone's face or fingerprint like you can reset a password. 

“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.  

“This is neither fair nor proportionate under data protection law, and, as the UK regulator, we will closely scrutinise organisations and act decisively if we believe biometric data is being used unlawfully.”

This enforcement action comes as the ICO today publishes new guidance for all organisations that are considering using people’s biometric data. The guidance outlines how organisations can comply with data protection law when using biometric data to identify people.

Mr Edwards added:

“This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve. 

“Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”   

Last year, the ICO also published guidance on monitoring employees and called on organisations to consider both their legal obligations and their employee’s rights to privacy before they implement any monitoring.

Notes to editors

About the enforcement action

The enforcement notices concern 38 Serco-operated leisure facilities where biometric data is being processed. 

Serco Leisure Operating Limited operates leisure facilities on behalf of community leisure trusts.

FRT is used at all 38 leisure facilities. At two of the facilities, both FRT and fingerprint scanning technology are in use.

For five of the leisure facilities, Serco is the sole controller in relation to the processing of biometric data. 

At 32 of the leisure facilities, Serco is a joint controller with the community trust and at one of the leisure facilities, Serco is a joint controller with Serco (Jersey) Limited. Both controllers have responsibility for the processing of biometric data. 

The ICO has issued nine enforcement notices, ordering Serco Leisure, Serco Jersey and the seven community trusts listed below to stop the processing. 

  • Birmingham Community Leisure Trust Limited
  • Bolton Community Leisure Limited
  • Shropshire Community Leisure Trust Limited
  • More Leisure Community Trust Limited
  • Northern Community Leisure Trust Limited
  • Maidstone Leisure Trust Limited
  • Swale Community Leisure

About the ICO 

The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for people.

The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations. 

The ICO can take action to address and change the behaviour of organisations and people that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. 
To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.