UK data watchdog calls out Serco’s biometric scan use

LONDON, UNITED KINGDOM — In a significant move for employee privacy, the UK’s Information Commissioner’s Office (ICO) issued an enforcement notice against outsourcing giant Serco for unlawfully scanning the biometric data of its staff.
The ICO’s investigation revealed that Serco Leisure, along with several associated community leisure trusts, had been using facial recognition technology and fingerprint scanning to monitor over 2,000 employees across 38 leisure facilities for attendance and payroll purposes without proper legal basis.
UK Information Commissioner John Edwards emphasized the risks associated with biometric data, adding, “You can’t reset someone’s face or fingerprint like you can reset a password.”
He criticized Serco Leisure for not adequately assessing the risks before deploying biometric technology, thereby prioritizing business interests over employee privacy.
Edwards also highlighted the lack of an opt-out system for staff, exacerbating the power imbalance in the workplace and forcing employees to surrender their biometric data to maintain employment.
The ICO’s enforcement notice requires Serco Leisure and the implicated trusts to cease the use of biometric data for staff monitoring and to destroy any unlawfully collected data within three months.
Further, Edwards warned that the use of facial recognition in this context was neither fair nor proportionate under data protection law, promising close scrutiny and decisive action against organizations misusing biometric data.
This enforcement affects Serco Leisure and Serco Jersey, along with seven other trusts across the UK. The ICO has also released new guidance to help organizations understand the legal boundaries of using biometric data, emphasizing the need to mitigate potential risks such as identification errors and biases.
Serco, known for securing major contracts, including the pandemic response Test and Trace system, has previously faced legal challenges, including a nearly £23 million (US$29.1 million) fine in 2019 for issues related to electronic tagging contracts.