Regulator says no to facial recognition and fingerprint scanning of employees

Considering facial recognition or fingerprint scanning to monitor your employees? Perhaps think again.

One industry is stepping back from the use of biometrics to log in employees for shifts after being slapped down by the UK’s data regulator, known as the Information Commissioner’s Office (ICO). According to a report in the Guardian newspaper, dozens of companies across the leisure centre sector are either removing their biometric attendance scanners or considering doing so after a ruling and new guidance from the watchdog back in February.

The shift follows a rise in employee monitoring amid an increase in flexible working and home working. But this recent ruling suggests some privacy is still allowed at work — even if it’s just for our faces and fingertips.

Serco Leisure biometric ruling

The report follows the ICO ordering one company to stop using facial recognition and fingerprint scanning technologies to monitor their workers’ attendance.

Back in February, the ICO announced the results of its investigation into Serco Leisure’s use of such technologies, finding the company and the community trusts that hired it were unlawfully processing that biometric data. More than 2,000 employees were impacted across 38 leisure facilities, the ICO said at the time.

The ICO said Serco Leisure failed to offer an alternative method for staff to check in for their shifts, effectively forcing them to hand over their biometric data in order to get paid. “Due to the imbalance of power between Serco Leisure and its employees, it is unlikely that they would feel able to say no to the collection and use of their biometric data for attendance checks,” the ICO said in a statement.

The regulator noted that Serco Leisure failed to show why the use of facial recognition and fingerprint scanning was necessary, as there are other means of tracking employee shifts, such as ID cards or fobs. “This action serves to put industry on notice that biometric technologies cannot be deployed lightly,” John Edwards, UK Information Commissioner, said in a statement at the time.

Alongside an enforcement notice requiring Serco Leisure to change its ways, the ICO also issued new guidance for all organisations that use biometric data.

“Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others,” Edwards added.

No facial recognition for all employees?

Flash forward a few months, and it’s clear others in the leisure industry are taking the ICO seriously. According to The Guardian report, dozens of leisure centre chains, including Virgin Active, have either dropped facial recognition or fingerprint scanning for their staff, while others are considering following suit.

Indeed, Ian Hogg, the CEO of biometrics technology supplier Shopworks, told the newspaper that the new ICO guidance means companies should choose alternatives to facial recognition and fingerprint scanning. However, the ICO said it was working with industry about using the technology “appropriately” — suggesting the regulator does see ways that biometrics can be used by companies without breaching its guidance.

According to the guidance, organisations must be able to explain why biometric data is necessary, consider alternatives, and determine whether those could have sufficed without as much intrusion.

Companies must also understand and monitor the performance of their chosen biometric system to avoid false positives and negatives and ensure they don’t cause undue harm or discrimination. Beyond that, the guidance also lays out data protection requirements and security advice.

Either way, any company looking to use biometrics to track staff shifts should first review the ICO guidance to ensure such plans don’t violate the regulator’s expectations.

They should also consider staff opinions. A survey by the Centre for Emerging Technology and Security (CETaS) at The Alan Turing Institute last month revealed that Brits were less keen on private-sector uses of facial recognition than public-sector uses, such as policing or health services.

While respondents largely agreed that biometric systems should be regulated rather than banned, a clear majority believed the use of biometrics to assess performance in job interviews — or to track employee engagement or attention — should be outright banned.

Related: Want to use AI in business? Then think mundane tasks