Options for biometrics at work
Posted: Sun Dec 22, 2024 6:19 am
The risks and benefits of biometrics need to be discussed and understood. The UK ICO ’s decision to ban Serco from using biometrics in the workplace signals a pivotal moment for employee privacy and the regulation of sensitive data. Find out more about how this prompts action here.
The case
On 23 February 2024, the Information Commissioner's Office (ICO), the UK's data protection authority, ordered Serco Leisure Operating Limited (Serco), a company that operates leisure facilities, to stop using facial recognition and fingerprint scanning technology to monitor employee attendance and calculate their wage payments.
Serco began using the technology in 2017 across 38 of its leisure facilities. The company philippines code number said it had adopted the method because previous systems were so easy to manipulate, which had led to abuse by some staff. However, the ICO ruled that the company did not have a proper legal basis for using biometric data. The company was accused of breaching several UK data protection rules. The company was ordered to immediately stop using biometric data and destroy all information it had collected.
The ICO (an understanding that is gaining ground in Europe and is likely to spread here) has emphasized that the use of biometric data is only justifiable if there are no less intrusive alternatives available. In addition, employee privacy must be considered, and they must be clearly informed about their options and rights.
Although the ICO has not prohibited it, employers should be aware that biometric data is sensitive data and should only be processed as an exception. The decision therefore shows us that the use of biometrics in the workplace is the exception rather than the rule.
And in Brazil?
We always recommend that companies wishing to use this technology create appropriate procedures, including identifying an appropriate legal basis, as this data is sensitive (article 11 of the LGPD) – and observing the necessity and reasonableness of the processing (articles 9 and 11 of the LGPD). Whenever possible, employees should also be provided with alternative options if they object to the use of their biometric data . Therefore, implementing the mechanism before a reasonable study of the issue is assuming the risk of inadequate processing.
The case
On 23 February 2024, the Information Commissioner's Office (ICO), the UK's data protection authority, ordered Serco Leisure Operating Limited (Serco), a company that operates leisure facilities, to stop using facial recognition and fingerprint scanning technology to monitor employee attendance and calculate their wage payments.
Serco began using the technology in 2017 across 38 of its leisure facilities. The company philippines code number said it had adopted the method because previous systems were so easy to manipulate, which had led to abuse by some staff. However, the ICO ruled that the company did not have a proper legal basis for using biometric data. The company was accused of breaching several UK data protection rules. The company was ordered to immediately stop using biometric data and destroy all information it had collected.
The ICO (an understanding that is gaining ground in Europe and is likely to spread here) has emphasized that the use of biometric data is only justifiable if there are no less intrusive alternatives available. In addition, employee privacy must be considered, and they must be clearly informed about their options and rights.
Although the ICO has not prohibited it, employers should be aware that biometric data is sensitive data and should only be processed as an exception. The decision therefore shows us that the use of biometrics in the workplace is the exception rather than the rule.
And in Brazil?
We always recommend that companies wishing to use this technology create appropriate procedures, including identifying an appropriate legal basis, as this data is sensitive (article 11 of the LGPD) – and observing the necessity and reasonableness of the processing (articles 9 and 11 of the LGPD). Whenever possible, employees should also be provided with alternative options if they object to the use of their biometric data . Therefore, implementing the mechanism before a reasonable study of the issue is assuming the risk of inadequate processing.