ICO warns against using biometrics for employee monitoring

Businesses often consider or adopt biometric monitoring systems like fingerprint or facial recognition to improve efficiency and combat issues like timesheet errors or ‘buddy punching’ – where employees clock into work shifts for one another. However, using biometrics for employee monitoring raises significant privacy concerns and legal implications due to strict data protection rules around processing sensitive biometric data, which we outline here. Employers must carefully balance any perceived benefits against the risks of infringing on employees' fundamental privacy rights.

The Information Commissioner's Office (ICO) recently ordered Serco Leisure and associated trusts to stop using facial recognition technology and fingerprint scanning to monitor over 2,000 employees across 38 sites. Serco aimed to reduce timesheet inconsistencies but failed to provide staff with a clear non-biometric alternative or to offer less invasive options.

Data protection law requires organisations to demonstrate that biometric monitoring is necessary when less invasive alternatives exist. The ICO ruled that Serco’s occasional timesheet errors did not justify continuous biometric surveillance, which was disproportionate to the problem. Serco also neglected to address staff grievances or explore disciplinary measures to resolve the timesheet issues, nor did they first explore other less intrusive verification procedures like ID cards.

This ICO enforcement action indicates biometrics should not be an automatic choice, even for legitimate business issues.

Samantha Owen, Senior Employment Solicitor, comments:

According to the ICO enforcement notice, the inherent power imbalance between employer and staff meant employees at Serco could not freely object to the system's rollout, which conflicts with data protection standards requiring informed consent. Rather than unilaterally imposing top-down policies, we encourage businesses to evaluate their options and secure genuine employee buy-in before considering biometric. Whilst surveillance may be lawful in certain circumstances, it risks eroding morale and trust, which is vital for staff well-being and productivity. In addition, imposing terms on your team without seeking their agreement can lead to grievances and can also lead to resignations and employees bringing constructive dismissal claims. Where terms are imposed on whole teams, this can lead to employees grouping together to bring claims together, which can be very costly indeed for your business.

Becky White, our Senior Data Protection Solicitor, went on to say:

The ICO has a tough stance on unauthorised employee monitoring, and this enforcement notice sends a clear message. No business should presume facial recognition or fingerprint scanning for tracking attendance is permissible without first proving necessity, minimisation, and having an appropriate lawful basis, such as explicit consent. While technology promises efficiency, it doesn't override legal duties towards employees or erase power imbalances between employers and employees. If biometric monitoring itself becomes an intrusive overreach, it undermines staff relations and regulatory compliance.

If, as a business, you are still looking to use biometrics for monitoring purposes should consider this ICO ruling very carefully and should:

• Thoroughly assess if biometric tracking is strictly necessary and proportionate to the specific problem, or if conventional measures could suffice.
• Provide staff ample warning, choice, and alternatives before rollout, including genuine opt-out options.
• Ensure there is an appropriate lawful basis, and if you deem this to be consent, evaluate whether consent is freely given or if power imbalances pressure participation.
• Have a clear data protection plan and policies in place beforehand, not afterwards.

The ICO's crackdown is a warning that biometrics require careful justification, strong safeguards, and employee empowerment to comply with data protection duties. No monitoring method, however advanced, warrants overlooking individuals' fundamental privacy rights.

As an employer, you need to be aware of the data protection and privacy risks of monitoring your employees. Here are some key action points to help you stay compliant. Our experienced data protection solicitors can provide advice on biometric monitoring compliance and all UK GDPR obligations.

If you are looking to keep track of what your staff are doing, our expert employment solicitors can guide you on what monitoring is allowed, in what circumstances and what needs to be in place for it to be legal.

The ICO recently published their biometric data guidance here.