The ICO’s new regulations on biometric technology in the workplace

Be the first to comment

The ICO’s new regulations on biometric technology in the workplace


This content is contributed or sourced from third parties but has been subject to Finextra editorial review.

When someone mentions biometric technology, many of us still visualise the futuristic utopias popularised in movies such as Minority Report, or Blade Runner.

Yet biometric technology is very much commonplace in today’s world – particularly from a consumer perspective. We are using facial recognition systems to gain access to our smartphones, voice recognition to control our smart home devices, and fingerprint scanning to access our online bank accounts.

Many banks and financial institutions have sought to harness biometric systems to drive value and efficiency, as well as greater security for their customers. Using biometrics can reduce fraud and provide an easier to use, and more efficient service. For example, Citibank uses voice-recognition software in its call centres to verify customers’ identity, which reduces wait times; and JP Morgan has been trialling the use of facial and palm recognition at retailers and sporting events in the US.

As biometric technology capabilities keep developing at an advanced rate, we will likely see more financial institutions explore how biometric systems could be used to enhance their own internal operations too, and the employee experience. However, a recent clampdown and refresh in regulations from the Information Commissioner’s Office (ICO) has raised questions as to how you can use biometric technology in the workplace, ensuring the use of it is legally compliant .

ICO clampdown

The ICO announced new guidance earlier this year, due to a number of their own investigations finding that companies had been falling foul of data protection rules, because they were using biometric systems to monitor staff attendance. In February, Serco, and a number of other leisure trusts were found to have unlawfully processed the facial recognition technology and fingerprints of 2,000 staff to monitor attendance at its leisure centres.

They were ordered to stop using it to track staff in the workplace and to delete the biometric data (that wasn’t required to be kept under the law). It was reported that this had had a domino effect – with many other companies announcing they were to pull or seriously re-examine the use of their biometric systems.

Whilst it’s easy to think this was an isolated incident, or only applies to those in the leisure sector, the ICO gave a clear warning that this action held clear learning lessons for all using biometric technology in the workplace.

John Edwards, UK Information Commissioner, said: “This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.”

The ICO explained alternatives should have been explored first to monitor staff attendance – suggesting that ID cards or fobs could have been used instead. Employees at the organisations in question were also told they had to comply with the biometric system in order to be paid.  

Mr Edwards added that “Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.”

This decision also put a spotlight on the regulatory differences around the handling and processing of customer data, compared to employee data. Whilst companies are able to harness biometric technology for their customer and client relationships wide-scale and within the law fairly straightforwardly, for internal purposes there are limitations, due to data protection laws ensuring in an employment context, employees aren’t exploited through their data.

In what instances can you use biometric systems?

You can use biometric systems in the workplace, but there must be justifiable grounds for doing so. This is because it's defined as special category data under the Data Protection Act 2018.

Companies should review and establish the consent procedures and whether they meet ICO guidelines, and do due diligence on how the supplier of biometric systems is handling such data, if they haven't done so already. 

Using it is invasive, and without explicit consent of employees, and full consideration by the employer of the impact of processing it, and security in handling it, businesses could fall foul of the rules and potentially be fined by the ICO of up to 4% of global annual turnover or £18 million, whichever is greater.

In Serco’s case, the ICO said “they failed to show why it is necessary or proportionate to use FRT and fingerprint scanning”. Under data protection law, businesses will need to justify why it is fair for them to collect biometric data.

Companies already using, or considering using biometric tech in the workplace should also put together a detailed, and extensive documented data protection impact assessment.

Enhanced cyber security measures such as encryption should be implemented, and privacy notice will need to be updated, to add why they are using employees’ biometric data, details on the processing of this data, and how they're complying with the law in doing so. This document should be accessible at all times, and the notice should also outline who employees can speak to if they have any questions or have any concerns.

The risks

Employers should refer to the new ICO guidance, to ensure they comply with the new rules, even for the trialling of biometric systems in the workplace. Banks and financial institutions know all too well the risks of personal data getting into the wrong hands – as they’ve seen and are heavily tackling with the global increase in unauthorised fraud.

Whilst biometric technology could go some way in mitigating the risks of fraud, if poorly handled and processed, the impact of a hack or leak could be devastating for an individual and lifelong. Employees would be well within their rights to take legal action against their employers and launch potentially high value claims. This could also have severe reputational damage on an organisation.

It is well worth companies going through the regulations with a fine-tooth comb and taking all recommended preparatory steps before introducing biometric technology in the workplace.

Comments: (0)


This content is contributed or sourced from third parties but has been subject to Finextra editorial review.