Biometric Data in the Workplace

Together we are Forbes


15 December, 2019

Daniel Milnes
Partner, Head of Governance, Procurement & Information

As technologies continue to advance, we are becoming ever more reliant on the efficiencies that can come with those advancements. This has been the case with technology allowing biometric data to be harnessed and its potential to revolutionise the way workplaces can function. There is no doubt that the use of biometric data has the potential to significantly benefit all who choose to utilise it, but it may also leave them open to data protection challenges that it is important to consider.

We are often asked to advise organisations after they have implemented a new biometric system (e.g. fingerprint scanners as a clocking in device) and an employee makes a complaint about using the system. Data protection compliance needs to be considered at the outset of your discussions to implement such a such a system to ensure your organisation complies with the GDPR.

What is biometric data and can it be used?

Biometric data is defined under Article 4 of the GDPR and "means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data." This includes fingerprints or retina scans.

Biometric data was introduced as a special category of personal data under the GDPR and so your organisation will need a lawful basis under both Article 6 and Article 9 of the GDPR in order to comply with the provisions of the GDPR. In the case of workplace monitoring systems using biometric data, the most appropriate legal basis is likely to be consent. Due to the perceived imbalance of power in the employer/employee relationship, references to the need for employers to exercise caution when relying wholly on consent are frequently seen within guidance. Wherever possible use of another legal basis is advised. Employers therefore need to ensure that employees are fully aware of what they are consenting to, and leave no reason for the ICO to question the employer's compliance with the GDPR or whether it is using its powerful position to the detriment of the employee. Employees must have the genuine ability to say 'no' to the processing and an alternative method will need to be provided (e.g. if using a fingerprint recognition clocking in system, you would have to provide another way in which they could sign in, such as an ID card).

Recent enforcement action

In May 2019, the ICO issued an enforcement notice against HMRC following its introduction in 2017 of a voice authentication system where callers were required to record their voice as a password for its helplines. A complaint was made to the ICO as it transpired that callers were not informed that they did not have to sign up and were not given details of where to find further information. The enforcement notice confirms that the contravention of the GDPR was that HMRC "has and continues to process personal data by collecting, retaining and using biometric data through its Voice ID service, without having a lawful basis for doing so under Articles 6 and 9."

The enforcement notice goes on to explain one of the reasons for reaching the conclusion that HMRC had committed a serious contravention of the GDPR was that "there was a significant imbalance of power between it (HMRC) and its customers."

Current position

The ICO has recently released a blog stating they are currently developing guidance on biometric data, but has listed the key considerations for organisations contemplating introducing technology using biometric data in the meantime. They are as follows:

  • Completion of a Data Protection Impact Assessment (DPIA). A DPIA is required where the processing of data is likely to result in a high risk to the rights and freedoms of natural persons. (Article 35(1) GDPR).
  • Ensure that any risks identified by the DPIA are fully considered before making your decision to go ahead with the processing in this manner. It will be necessary to demonstrate consideration of these risks should you ever be challenged so it is important to document all decisions taken and the reasons why.
  • Remain accountable. Similar to point 2, you must be able to demonstrate compliance by putting in place "appropriate technical and organisational measures."
  • If relying on consent as the legal basis for processing the data ensure that you have explicit, documented consent. Remember in the workplace context, the employee must give consent expressly confirmed in words and it must be separate to their employment contract.


There is no denying that the use of biometric data has the potential to significantly benefit all organisations who can effectively use the technology. However, this needs to be balanced against the inherent risks and serious consequences that come hand in hand with those benefits. Provided that you can demonstrate your commitment to the protection of biometric data and compliance with all relevant legislation then it is something to give serious consideration to the adoption of. We eagerly await the ICO guidance on this subject.

For more information contact Daniel Milnes in our Governance, Procurement & Information department via email or phone on 01254 222313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

Is it Right to Shared Ownership or Wrong to Shared Ownership…

ICO Publishes Detailed Guidance on Special Category Data

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: