A Word of Warning on the use of Facial Recognition Technology

Bethany Paliga
Bethany Paliga

Published: March 15th, 2024

7 min read

The use of facial recognition technology is back in the news following an announcement from the Information Commissioner's Office (ICO) that it has ordered Serco to stop using a staff clocking-in system which used facial recognition technology. The technology was used to monitor the attendance of staff as well as being used as a "clocking in and out" system for payment of their time. The ICO launched an investigation into Serco Leisure's use of this clocking in system and found that the organisations had been unlawfully processing biometric data of over 2,000 staff members.

A copy of the Enforcement Notice can be found here.

Background

Serco Leisure is one of the UK's leading national operators of leisure centres. According to the ICO, facial recognition technology was in use in all 38 facilities operated by Serco. An investigation was launched after an ICO employee noticed the technology was in place.

In order to justify the use of facial recognition technology, Serco explained that ID cards were being used inappropriately by employees and cards were shared and kept in communal areas but was unable to provide substantive evidence of this being the case. The ICO investigation found that the processing of biometric data cannot be considered imperative when there were less intrusive methods to verify the attendance of staff (e.g. swipe cards). Further, in the event that staff had in fact been "abusing the system", Serco failed to demonstrate other appropriate solutions such as disciplinary action against its employees. Therefore, it concluded that the processing of biometric data in such circumstances could/would cause distress to the individuals using the clocking in system.

One of the key issues in this enforcement notice was the lawful basis Serco had used to process the biometric data of staff. Serco confirmed to the ICO that it had relied on the following lawful bases for the processing of biometric data:

  • Article 6(1)(f) of the UK GDPR (legitimate interests);

  • Article 9(2)(b) of the UK GDPR (employment, social security and social protection).

This was on the basis that Serco needs to process attendance data to comply with various legal regulations, such as working time regulations, national living wage, right to work rules and tax/accounting regulations. The ICO concluded that although recording attendance times may be necessary for Serco to fulfil its legal obligations, it does not follow that the processing of biometric data is necessary to achieve this purpose. The ICO is of the view that the processing of biometric data cannot be considered "necessary" when less intrusive means can be used to verify attendance such as ID cards/fob or manual sign-in forms. Serco failed to demonstrate why these less intrusive methods were not appropriate.

The ICO issued an Enforcement Notice to Serco to stop using the clocking in system and to delete all data they are not legally obliged to hold.

Use of Facial Recognition Technology by Education Authorities

It has previously been reported in the press that a number of schools have looked to implement facial recognition technology in order to operate cashless school dinners. In light of the recent action taken against Serco, we are reminding our education clients not to rush into purchasing facial recognition technology.

The ICO has previously published a case study where an education authority is considering implementing facial recognition technology in order to facilitate cashless catering. It warns that education authorities cannot rely on Article 6(1)(e) (public task) UK GDPR unless they can demonstrate that the use of facial recognition technology is "necessary" and therefore it is unlikely that the use of facial recognition technology can be considered necessary for the purposes of providing school lunches. Therefore, the alternative would be to use consent as your lawful basis for processing biometric data (Article 6(1)(a) UK GDPR). Any consent given would need to be specific, informed and unambiguous in order to be valid and the education authority would need to provide a genuine alternative to the technology (e.g. swipe cards or cash) which do not place the pupil at any detriment.

Education authorities in England and Wales will also be subject to the Protection of Freedoms Act 2012 which provides rules requiring parental consent for the use of biometrics in schools.

The use of biometrics in schools also generates a lot of public scrutiny and therefore education authorities must be prepared to justify their decision if this is something that it wishes to pursue.

If education authorities are considering introducing biometric technology they will need to conduct a Data Protection Impact Assessment in order to assess the risks and ensure compliance with all of the data protection principles. However, in light of the action taken against Serco our education clients need to think very carefully before purchasing any system which uses facial recognition technology.


For further information please contact Bethany Paliga

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.