A Word of Warning on the use of Facial Recognition Technology

Together we are Forbes

Article

15 March, 2024

Bethany_Paliga
Bethany Paliga
Senior Associate

The use of facial recognition technology is back in the news following an announcement from the Information Commissioner's Office (ICO) that it has ordered Serco to stop using a staff clocking-in system which used facial recognition technology. The technology was used to monitor the attendance of staff as well as being used as a "clocking in and out" system for payment of their time. The ICO launched an investigation into Serco Leisure's use of this clocking in system and found that the organisations had been unlawfully processing biometric data of over 2,000 staff members.

A copy of the Enforcement Notice can be found here.

Background

Serco Leisure is one of the UK's leading national operators of leisure centres. According to the ICO, facial recognition technology was in use in all 38 facilities operated by Serco. An investigation was launched after an ICO employee noticed the technology was in place.

In order to justify the use of facial recognition technology, Serco explained that ID cards were being used inappropriately by employees and cards were shared and kept in communal areas but was unable to provide substantive evidence of this being the case. The ICO investigation found that the processing of biometric data cannot be considered imperative when there were less intrusive methods to verify the attendance of staff (e.g. swipe cards). Further, in the event that staff had in fact been "abusing the system", Serco failed to demonstrate other appropriate solutions such as disciplinary action against its employees. Therefore, it concluded that the processing of biometric data in such circumstances could/would cause distress to the individuals using the clocking in system.

One of the key issues in this enforcement notice was the lawful basis Serco had used to process the biometric data of staff. Serco confirmed to the ICO that it had relied on the following lawful bases for the processing of biometric data:

  • Article 6(1)(f) of the UK GDPR (legitimate interests);
  • Article 9(2)(b) of the UK GDPR (employment, social security and social protection).

This was on the basis that Serco needs to process attendance data to comply with various legal regulations, such as working time regulations, national living wage, right to work rules and tax/accounting regulations. The ICO concluded that although recording attendance times may be necessary for Serco to fulfil its legal obligations, it does not follow that the processing of biometric data is necessary to achieve this purpose. The ICO is of the view that the processing of biometric data cannot be considered "necessary" when less intrusive means can be used to verify attendance such as ID cards/fob or manual sign-in forms. Serco failed to demonstrate why these less intrusive methods were not appropriate.

The ICO issued an Enforcement Notice to Serco to stop using the clocking in system and to delete all data they are not legally obliged to hold.

Use of Facial Recognition Technology by Education Authorities

It has previously been reported in the press that a number of schools have looked to implement facial recognition technology in order to operate cashless school dinners. In light of the recent action taken against Serco, we are reminding our education clients not to rush into purchasing facial recognition technology.

The ICO has previously published a case study where an education authority is considering implementing facial recognition technology in order to facilitate cashless catering. It warns that education authorities cannot rely on Article 6(1)(e) (public task) UK GDPR unless they can demonstrate that the use of facial recognition technology is "necessary" and therefore it is unlikely that the use of facial recognition technology can be considered necessary for the purposes of providing school lunches. Therefore, the alternative would be to use consent as your lawful basis for processing biometric data (Article 6(1)(a) UK GDPR). Any consent given would need to be specific, informed and unambiguous in order to be valid and the education authority would need to provide a genuine alternative to the technology (e.g. swipe cards or cash) which do not place the pupil at any detriment.

Education authorities in England and Wales will also be subject to the Protection of Freedoms Act 2012 which provides rules requiring parental consent for the use of biometrics in schools.

The use of biometrics in schools also generates a lot of public scrutiny and therefore education authorities must be prepared to justify their decision if this is something that it wishes to pursue.

If education authorities are considering introducing biometric technology they will need to conduct a Data Protection Impact Assessment in order to assess the risks and ensure compliance with all of the data protection principles. However, in light of the action taken against Serco our education clients need to think very carefully before purchasing any system which uses facial recognition technology.

For more information contact Bethany Paliga in our Education department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Education department here

Non-payment of fees - what steps should schools take?

Headteacher successful in unfair dismissal claim for tapping her…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Make an Enquiry

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday:
Closed