Biometrics — TEN key steps for businesses to comply with data protection rules

The ICO’s reprimand to Serco Leisure for its use of biometric data highlights the importance of compliance with data protection regulations and the need for transparency in handling sensitive information. This decision serves as a reminder to companies and organisations that they must adhere to strict guidelines and regulations when implementing biometric technology.

Here, data protection specialist Eleanore Beard outlines the ten key steps that any organisation should follow when using biometrics.

Special category data

From security and law enforcement to healthcare and finance, biometrics — the measurement and statistical analysis of people's unique physical and behavioural characteristics — have become increasingly prevalent. However, the use of biometric data raises concerns about privacy and data protection — especially when it comes to sensitive information such as fingerprints, facial scans and iris patterns. 

Due to the sensitivity of biometric data, it’s considered to be special category data. This means that extra protections are needed to use and process it.

Following the publication of the ICO (Information Commissioner's Office) investigation and decision regarding the use of biometric data by Serco Leisure, there have been many concerns from businesses that currently use biometrics — sparking discussions around privacy, data protection and ethics.

Breaches of data protection legislation

As a result of the ICO’s findings, Serco Leisure was required to cease its use of facial recognition technology and implement measures to ensure compliance with data protection legislation.

A large public service provider, Serco is involved in sectors such as healthcare, immigration and leisure services. It operates leisure facilities under the name Serco Leisure on behalf of community leisure trusts, local authorities and Sport England. 

Serco Leisure used facial recognition and fingerprint biometric data for the purposes of monitoring employee attendance, including to clock in and out of work. 

However, the ICO found that in monitoring its employees in this way, Serco Leisure had been a breach of: 

• Article 5(1) (a) — this provides that “Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency).” 
• Article 6 — this sets out the list of lawful reasons that an organisation must satisfy to use or process any data.
• Article 9 — this sets out a further list of lawful reasons an organisation must satisfy where it wishes to use or process special category data.

In light of its findings, the ICO issued an enforcement notice to order Serco Leisure and the community leisure trust to stop using facial recognition technology and fingerprint scanning to monitor workers’ attendance.

What went wrong for Serco Leisure in its collection of biometric data? 

The ICO had concerns that employees were given no alternative to the use of biometrics. As the relationship between employer and employee is unbalanced, employees could feel like there’s no choice but to consent — and therefore the consent couldn’t be considered ‘freely given’. When collecting employee’s biometric data, it’s important that an alternative mechanism is provided. 

Although Serco Leisure stated to the ICO that alternative mechanisms for employees to log their attendance would be available, this information wasn’t clearly brought to employees’ attention — even when an employee had complained. Further, the ICO found that Serco Leisure’s ‘Standard Operating Procedure’ indicated that employees were “expected” to use biometric technology, its use was a requirement and employees could be subject to disciplinary action if they refused.

The ICO also provided a reminder that the ‘legitimate interest’ legal basis won’t apply if the controller can reasonably achieve the same result in another less intrusive manner — especially when implementing biometric solutions. Serco Leisure had failed to give enough weight to the intrusive nature of biometric processing or risks to the individual. It was also found to have failed to process the biometric data in a fair manner and couldn’t produce an appropriate policy document as required. 

Ten key steps to implement biometrics

While biometric tools offer convenience and enhanced security in many applications, they also pose risks — both to businesses using the tools and individual data subjects — if those tools aren’t correctly implemented.

If you’re looking to implement a biometric solution in your business, follow these ten key steps to stay on the right side of data protection legislation.

1. Perform a DPIA

Before implementing the collection of biometric data, always carry out a DPIA (Data Processing Impact Assessment) to assess your processing. You can use the DPIA to justify your use of personal data and ensure that the collection and processing is “fair and proportionate”, as well as in-line with all the principles set out in the data protection legislation. The DPIA will also ensure that you’ve undertaken the purpose, necessity and balancing tests and could even be used to seek the views of employees.

Conducting a DPIA alongside relevant stakeholders like your data protection officers and legal advisers will enable you to identify measures to mitigate any risks. 

2. Identify a lawful basis

Identify a lawful basis for processing biometric data under both Article 6 and Article 9. This could include obtaining consent from individuals, fulfilling a legal obligation or necessity for the performance of a contract. If using consent, you must ensure that it’s freely given, with people having the ability to opt out. You should also be able to offer an alternative (less intrusive) mechanism.

3. Be transparent

Inform individuals about the purpose of collecting biometric data, how it will be used and their rights regarding its processing. Provide clear and easily understandable explanations in privacy notices or consent forms. Where you’re collecting special category data, ensure that an appropriate policy statement is in place.

4. Minimise data collection

Collect only the biometric data necessary for the intended purpose. Avoid collecting excessive or irrelevant biometric information. 

5. Implement security measures

Implement robust security measures to protect biometric data from unauthorised access, disclosure or alteration. This may include encryption, access controls and regular security assessments to identify and address vulnerabilities.

6. Keep data accurate

Ensure the accuracy of biometric data and establish procedures for updating or rectifying inaccuracies. Implement measures to verify the quality of biometric data at the point of collection and periodically throughout its lifecycle.

7. Define data storage periods

Define retention periods for biometric data based on the purposes for which it was collected. Regularly review and securely delete or anonymise biometric data once it’s no longer necessary or if individuals withdraw their consent.

8. Respect individual rights

Respect individuals' rights regarding their biometric data. Allow individuals to access their data, request corrections or erasure and object to its processing in certain circumstances. Establish processes for handling such requests promptly and transparently.

9. Safeguard third-party processing

If engaging third-party processors to handle biometric data, ensure that they adhere to data protection legislation and provide adequate safeguards. Implement contractual agreements and due diligence processes to monitor compliance.

10. Regularly review and audit

Continuously monitor and review compliance with data protection legislation related to biometric data processing. Conduct regular audits to assess the effectiveness of security measures, data handling practices and adherence to individuals' rights.

Talk to us

If you or your organisation have any queries on how to establish a compliant process for collecting and processing biometrics, our data protection lawyers can help.

We’re experienced in helping clients to manage the risks of collecting and using biometric data, including helping you to complete a Data Protection Impact Assessment and comply with transparency requirements (including the appropriate policy document). 

To discuss this or your current compliance with the data protection legislation, talk to us by completing our contact form below.