Use of biometric data and monitoring in the employment context
What is biometric data?
Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a person which allow or confirm their unique identification.
Biometric data in the workplace
The use of biometric data in the employment context is a hot topic, given that the ICO has very recently issued an enforcement notice ordering a leisure centre operator to stop using facial recognition and fingerprint scanning technology to monitor workforce attendance, and it has also published guidance for organisations on how to process biometric data lawfully.
The enforcement notice was issued following an investigation that found that Serco Leisure had been unlawfully processing biometric data of more than 2,000 employees across its facilities by using it to check when they clocked in and out and making their cooperation with the same a requirement for them to get paid. Serco failed to give employees the option to cooperate by way of less intrusive means, such as ID cards or fobs, and therefore the ICO concluded that Serco had failed to show why the biometric technology was necessary or proportionate.
Clear message from the Information Commissioner
The message to employers is clear: the regulator will closely scrutinise organisations and act decisively if it believes employees’ biometric data is being used unlawfully. There may be a crackdown as the UK Information Commissioner has said she is “deeply concerned” that live facial recognition may be used “inappropriately, excessively or even recklessly”. It is crucial that employers do not neglect to carefully consider their data protection obligations when implementing biometric technology to ensure compliance with underlying laws: because biometric data constitutes special category data of employees, its processing must be necessary, justified and proportionate and a condition under Article 9 of the GDPR must also be identified. There are 10 conditions; the most common conditions in the employment context are ‘employment, social security and social protection law’, (the defence of) ‘legal claims’ and ‘reasons of substantial public interest’.
Workplace monitoring under scrutiny
Aside from biometric data, monitoring in the workplace generally is subject to scrutiny. The ICO also issued specific guidance last year for employers on how to monitor workers lawfully, transparently and fairly. In summary, an employer can monitor its staff so long as it is justified and there is a lawful basis – but careful consideration should be given to employees’ rights to privacy and transparency is crucial. Employers sometimes think that an employees’ general consent to monitoring given by way of their employment contract will suffice, but it is not a get out of jail free card. Employees should be aware of what is being monitored and the reasons for the same so that they can give informed consent.
The use of CCTV and monitoring of instant-messenger communications are particularly prevalent by employers in the current climate: this can be helpful, for instance in the context of disciplinary investigations for evidence purposes, but employers must be careful to ensure the right balance is struck so that employees’ data is not processed for insidious means. All too often employers steam ahead without forethought for the potential ICO and GDPR implications; employers must remember to establish that the monitoring is justified and ensure that employees know they are being monitored, whether that be by way of being filmed, tracked, or having their communications observed, and why.
Conclusion
There is a very delicate balance to strike in order for an organisation to monitor its employees for genuinely legitimate business purposes whilst respecting individual rights. If you would like assistance navigating the thorny landscape of employee surveillance whilst minimising legal risks, please contact us. We are able to draft policies that strike the right balance as well as provide training and audit services.