Data watchdog tells off outsourcing giant for scanning staff biometrics despite 'power imbalance'
2,000 employees at 38 facilities had data processed 'unlawfully', ICO says
A data protection watchdog in the UK has issued an enforcement notice to stop Serco from using facial recognition tech and fingerprint scanning to monitor staff at 38 leisure centers it runs.
During an investigation, the Information Commissioner's Office, Britain's regulator set up to enforce data protection law, found Serco Leisure and several associated community leisure trusts had unlawfully processed the biometric data of more than 2,000 employees at all 38 of the leisure facilities to check attendance and calculate pay.
There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there
The ICO has also instructed Serco Leisure and the trusts to destroy all biometric data that they are not legally obliged to retain within three months.
UK Information Commissioner John Edwards said biometric data represents a risk to individuals in the event of inaccuracies or security breaches. "You can't reset someone's face or fingerprint like you can reset a password," he said.
"Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritizing business interests over its employees' privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there," he said in a statement.
Edwards added that in the context in which Serco and the trusts were using it, facial recognition was neither fair nor proportionate under data protection law. "We will closely scrutinize organizations and act decisively if we believe biometric data is being used unlawfully," he said.
Affected by the enforcement are Serco Leisure — national operators of leisure centers including swimming pools — and Serco Jersey, a separate company running similar facilities on the Channel Islands. Seven other trusts were hit by the enforcement including those in Birmingham, Bolton, Maidstone, More (Mansfield), Towcester, Shropshire and Swale. They all used Serco as a service partner.
Serco is a well-known tech and business process outsourcer. It has won contracts including for the pandemic response Test and Trace system (£212 million, £322 million) and the Ministry of Justice.
- Activists gatecrash Capita's AGM to protest GPS tracking contract
- Outsourcing firm Serco wins £212m UK Test and Trace deal
- Serco bags £322m contract extension for Test and Trace, is still struggling to share data with local authorities
- Just when everyone thought things might be looking up, Dido Harding admits interest in top job at NHS England
In 2019, the UK outsourcing and services company was fined nearly £23 million in a settlement with the Serious Fraud Office over contracts to electronically tag criminals. The issue was first reported by Serco, and it later apologized.
As well as issuing the enforcement notice on Serco and the leisure trusts, the ICO has released new guidance designed to help organizations understand where they can and cannot use biometric data.
"Our latest guidance is clear that organizations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others," Edwards said. ®