ICO Takes Motion – Your Entrance Web page For Data Governance Information


Employers have all the time had a eager curiosity in monitoring and monitoring workers.
In 2017, we addressed this matter in a weblog submit specializing in the GDPR implications of worker monitoring utilizing GPS trackers and comparable units. Current advances in surveillance expertise, significantly facial recognition, haven’t solely streamlined worker monitoring however has additionally rendered it cheaper and, concurrently, extra intrusive. A very good instance is this video of a espresso store utilizing facial recognition expertise (FRT) and AI to watch worker productiveness. 

In 2022, the TUC warned worker surveillance expertise and AI dangers “spiralling uncontrolled” with out stronger regulation to guard workers. It warned that, left unchecked, these applied sciences may result in widespread discrimination, work intensification and unfair therapy. Earlier this 12 months the French Information Safety Regulator, CNIL, fined Amazon  €32m (£27m) underneath the GDPR for “extreme” surveillance of its employees. The CNIL stated Amazon France Logistique, which manages warehouses, recorded information captured by employees’ handheld scanners. It discovered Amazon tracked exercise so exactly that it led to employees having to probably justify each break. 

Worker surveillance is now primarily regulated within the UK by the UK GDPR.
As with properly all actions involving the processing of private information, the surveillance have to be honest, lawful and clear. The Human Rights Act and the Regulation of Investigatory Powers Act may additionally apply (see our earlier earlier weblog submit for extra element on these legal guidelines).  

On 23rd February 2024, the Data Commissioner’s Workplace (ICO) issued Enforcement Notices to public service supplier Serco Leisure, Serco Jersey and 7 related neighborhood leisure trusts underneath the UK GDPR. The notices required the organisations to cease utilizing facial recognition expertise (FRT) and fingerprint scanning to watch worker attendance. The ICO’s investigation discovered that Serco Leisure and the trusts had been unlawfully processing the biometric information of greater than 2,000 workers at 38 leisure amenities for the aim of attendance checks and subsequent cost for his or her time.  

Serco Leisure won’t be interesting in opposition to the notices; a smart resolution! As readers will know they needed to have a lawful foundation for processing workers’ information underneath Article 6 of the UK GDPR in addition to Article 9 as they have been processing Particular Class Information (Biometric Information). Consent was not an choice as a result of imbalance of energy between employer and worker. Within the phrases of the Commissioner:  

“Serco Leisure didn’t absolutely contemplate the dangers earlier than introducing biometric expertise to watch employees attendance, prioritising enterprise pursuits over its workers’ privateness. There is no such thing as a clear manner for workers to decide out of the system, rising the ability imbalance within the office and placing folks ready the place they really feel like they’ve handy over their biometric information to work there.” 

Serco tried to depend on Article 6(1)(b) and Article 6(1)(f) as lawful bases for processing the workers’ private information. In relation to Article 6(1)(b) (contractual necessity) it argued that the processing of attendance information was needed to make sure workers are paid accurately for the time they’ve labored. The ICO dominated that though recording attendance instances could also be needed for Serco to fulfil its obligations underneath employment contracts, it doesn’t observe that the processing of biometric information is critical to realize this objective particularly when much less intrusive means might be used to confirm attendance. These included radio-frequency identification playing cards or fobs, or guide sign-in and sign-out sheets. Serco had didn’t display why these much less intrusive strategies weren’t applicable. They did assert that these strategies are open to abuse however did present proof of widespread abuse, nor why different strategies, reminiscent of disciplinary motion in opposition to workers discovered to be abusing the system, had not been thought-about to be applicable.  

Relating to Serco’s reliance on Article 6(1)(f) (authentic pursuits), the ICO stated that it’ll not apply if a controller can fairly obtain the identical lead to one other much less intrusive manner. As mentioned above, Serco had not supplied sufficient data to assist its argument that eliminating abuse of the attendance monitoring system is a necessity, fairly than merely an additional profit to Serco. The ICO additionally stated: 

“In making use of the balancing check required to depend on authentic pursuits, Serco has failed to provide applicable weight to the intrusive nature of biometric processing or the dangers to information topics. “ 

In relation to Article 9, the ICO stated that Serco had once more didn’t display that the processing of biometric information is “needed” for Serco to course of Particular Class Information for the aim of employment attendance checks or to adjust to the related legal guidelines recognized by Serco of their submissions.  

The Enforcement Notices not solely instruct Serco Leisure and the trusts to cease all processing of biometric information for monitoring workers’ attendance at work, but additionally require them to destroy all biometric information that they don’t seem to be legally obliged to retain. This have to be performed inside three months of the notices being issued. 

This enforcement motion coincided with the ICO publishing new steering for all organisations which are contemplating utilizing folks’s biometric information. The steering outlines how organisations can adjust to information safety legislation when utilizing biometric information to determine folks. Final 12 months, the ICO additionally printed steering on monitoring workers and referred to as on organisations to contemplate each their authorized obligations and their worker’s rights to privateness earlier than they implement any monitoring. 

That is the primary time the ICO has taken enforcement motion in opposition to an employer to cease it processing the biometric information of employees. It should function a warning to organisations who use biometric tech simply because it’s low cost and simple to make use of with out contemplating the authorized implications.  

Our CCTV Workshop may also study the usage of facial recognition expertise. Now we have additionally simply launched our new workshop, Understanding GDPR Accountability and Conducting Information Safety Audits. 


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *