The ICO Continues to Clamp Down on the Use of Biometric Recognition Technology
On 23 February 2024, the UK’s data protection regulator, the Information Commissioner’s Office (ICO) issued Enforcement Notices (the Notices) to Serco Leisure Operating Limited, Serco Jersey Limited (together, Serco) and seven associated community leisure trusts. The Notices ordered Serco and the trusts to stop using facial recognition technology and fingerprint scanning to monitor employee attendance. On the same day, the ICO published new guidance on the use of Biometric Recognition Systems. As the use of biometric technology increases, organisations should be mindful not to fall foul of UK and European data protection legislation.
The Serco Enforcement Notices
Serco operates leisure facilities on behalf of community leisure trusts and local authorities across the UK and Jersey. Since May 2017, Serco has been using facial recognition technology and fingerprint scanning technology for the purpose of employment attendance checks and subsequent payment for employees’ timed work. From its introduction, Serco has processed the biometric data of more than 2,000 employees at 38 leisure facilities across the UK and Jersey. Serco began using biometric technology as it considered that previous systems (which included manual sign-in sheets and radio-frequency ID cards (RFID cards)[1] ) were prone to human error and abuse by employees (via buddy punching and falsified timecards).
Contraventions
The ICO commenced its investigation into Serco and the trusts at the end of December 2019, after an employee of the ICO observed facial recognition technology being used at a facility managed by Serco. On 23 February 2024, the ICO found Serco and the trusts to be in breach of Articles 5(1)(a), 6 and 9 of the UK GDPR, as they had failed to establish a lawful basis and special category personal data[2] processing condition for the processing of biometric data.
Article 5(1)(a) of the UK GDPR enshrines the principle that personal data shall be processed lawfully, fairly, and in a transparent manner. Article 6 sets out six ‘lawful bases’ on which organisations can rely to process personal data lawfully. Where special category data is concerned, Article 9 provides for ten possible conditions on which organisations must further rely to lawfully process such data.
Lawful Basis for Processing – Article 6
As to the lawful bases for processing biometric data, Serco and the trusts purported to rely on contractual necessity and legitimate interests (Articles 6(1)(b) and 6(1)(f) of the UK GDPR). Whilst the ICO agreed that recording employee attendance times was necessary for Serco to fulfil its contractual obligation to pay employees, it did not consider that the processing of biometric data was necessary to achieve this purpose. Less intrusive means could be used to verify attendance such as RFID cards/fobs or manual timesheets, which Serco had failed to demonstrate were not appropriate. Despite Serco’s assertions that such alternative methods were open to abuse, the ICO noted that Serco had been unable to provide evidence of widespread abuse, nor explain why other methods, such as disciplinary action against employees found to be abusing the system, were not appropriate. The ICO was similarly not persuaded by Serco’s legitimate interest arguments, concluding that the processing of biometric data was not necessary to fulfil Serco’s legitimate interest of ensuring it paid its employees the correct salary for the time they worked. In particular, the ICO noted that legitimate interests will not apply if the same result can be reasonably achieved in another less intrusive way.
Special Category Personal Data Processing Condition – Article 9
Serco and the trusts had further sought to rely on Article 9(2)(b) as their processing condition for special category data, i.e., that the processing was necessary to carry out employment law obligations/exercise employment law rights. The ICO noted that Serco and the trusts had initially failed (both when they began processing data using biometric technology and during the ICO’s investigation) to identify the specific legal obligations/rights relied upon, only later relying on the Working Time Regulations 1998 and the Employment Rights Act 1996. The ICO commented that the Article 9(2)(b) condition does not cover processing to meet purely contractual employment rights or obligations and further noted that Serco and the trusts had failed to demonstrate the necessity of processing biometric data for the purpose of employee attendance checks or to comply with the laws identified. Serco was further criticised for not having in place an appropriate policy document as required by the UK Data Protection Act 2018.[3]
Lawful, Fair, and Transparent Processing – Article 5
Considering the above, the ICO concluded that Serco and the trusts had unlawfully processed biometric data in contravention of Article 5(1)(a) of the UK GDPR. Further, Serco and the trusts had failed to process personal data fairly. The ICO commented that the processing of biometric data is highly intrusive and has the potential to cause distress to data subjects. Alternative mechanisms for logging attendance had not been sufficiently brought to Serco employees’ attention; rather, employees were “expected” to use biometric technology and could be subject to disciplinary action if they refused. The ICO further concluded that, due to the imbalance of power between Serco and its employees, it was unlikely that employees would feel able to object to such processing in any event.
Terms of the Notices
As a result of the Notices, within three months, Serco and the trusts must cease processing biometric data for the purpose of employment attendance checks and must destroy all biometric data that they are not legally obliged to retain.
Commenting on the Notices, John Edwards, the UK information commissioner, stated, “This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.” [4]
The ICO’s New Guidance on the Use of Biometric Recognition Systems
The Notices were issued on the same day that the ICO published new guidance on the use of biometric recognition systems. The ICO’s guidance explains how data protection law applies to the use of such systems and covers, amongst other things:
-
- How to process biometric data lawfully and fairly.
- How the accuracy principle applies to biometric data.
- How to ensure the processing of biometric data is transparent.
- How to deal with data subject rights requests for biometric data.
- How to keep biometric data secure.
As to how organisations can process biometric data lawfully, the guidance notes that explicit consent is likely to be the most appropriate condition available. The ICO does appreciate, however, that consent can be difficult to obtain in an employer-employee context as employees may feel they have no choice but to agree.[5] The ICO comments that this does not mean that employers can never rely on consent, but that they need to carefully consider the specific scenario in order to ensure they can offer a genuine choice without detriment. In order to rely on any lawful basis other than consent, organisations must be able to demonstrate that processing biometric data is “necessary” to achieve their overall purposes. Whilst necessity does not mean that the processing of the data much be absolutely essential, it does need to be more than just useful or desirable.
In connection with the fairness principle, the guidance states that whether biometric recognition systems are effective depends on their statistical accuracy. If organisations do not address the risk of inaccuracy, they may contravene the fairness principle and other equalities legislation. The guidance notes, for example, that biometric recognition systems should be tested for bias and, if detected, such bias should be mitigated.
As with all personal data, the guidance provides that organisations must implement appropriate security measures when using biometric data. Given the sensitive nature of biometric data, and the risks associated with unauthorised access by nefarious actors, “appropriate” is a higher bar than for personal data more generally. The guidance states that organisations must encrypt any biometric data they use and should consider the use of privacy enhancing technologies (PETs).
Commenting on the guidance, John Edwards said, “Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”[6]
Lessons
With the use of biometric technology becoming increasingly common, organisations must ensure they do not fall foul of UK and European data protection legislation. Some of the key lessons that organisations can take from the Serco Notices and the ICO’s new guidance include:
- When not relying on consent as the lawful basis for processing biometric data, it is crucial to consider whether the processing is “necessary”. Organisations must ensure that they have considered whether other less intrusive means could be used and must clearly document and evidence why such alternative means are not appropriate.
- When relying on consent or legitimate interests as the lawful basis for processing biometric data, organisations must offer alternative options to those that decline to provide consent/object to the processing of such data.
- When relying on Article 9(2)(b) as the special category condition to process biometric data for employment purposes, prior to processing such data, organisations must clearly identify the laws that contain the right/obligation requiring such processing.
-
Connected with the above, robust data protection impact assessments[7] must be completed prior to the processing of biometric data via biometric recognition systems.
-
Where biometric data is being processed in an employment context, such as for employee monitoring, organisations must ensure they have appropriate policy documents in place.
-
Organisations that are processing biometric data must have more robust security measures in place.
The Serco Enforcement Notices
Serco operates leisure facilities on behalf of community leisure trusts and local authorities across the UK and Jersey. Since May 2017, Serco has been using facial recognition technology and fingerprint scanning technology for the purpose of employment attendance checks and subsequent payment for employees’ timed work. From its introduction, Serco has processed the biometric data of more than 2,000 employees at 38 leisure facilities across the UK and Jersey. Serco began using biometric technology as it considered that previous systems (which included manual sign-in sheets and radio-frequency ID cards (RFID cards)[1] ) were prone to human error and abuse by employees (via buddy punching and falsified timecards).
Contraventions
The ICO commenced its investigation into Serco and the trusts at the end of December 2019, after an employee of the ICO observed facial recognition technology being used at a facility managed by Serco. On 23 February 2024, the ICO found Serco and the trusts to be in breach of Articles 5(1)(a), 6 and 9 of the UK GDPR, as they had failed to establish a lawful basis and special category personal data[2] processing condition for the processing of biometric data.
Article 5(1)(a) of the UK GDPR enshrines the principle that personal data shall be processed lawfully, fairly, and in a transparent manner. Article 6 sets out six ‘lawful bases’ on which organisations can rely to process personal data lawfully. Where special category data is concerned, Article 9 provides for ten possible conditions on which organisations must further rely to lawfully process such data.
Lawful Basis for Processing – Article 6
As to the lawful bases for processing biometric data, Serco and the trusts purported to rely on contractual necessity and legitimate interests (Articles 6(1)(b) and 6(1)(f) of the UK GDPR). Whilst the ICO agreed that recording employee attendance times was necessary for Serco to fulfil its contractual obligation to pay employees, it did not consider that the processing of biometric data was necessary to achieve this purpose. Less intrusive means could be used to verify attendance such as RFID cards/fobs or manual timesheets, which Serco had failed to demonstrate were not appropriate. Despite Serco’s assertions that such alternative methods were open to abuse, the ICO noted that Serco had been unable to provide evidence of widespread abuse, nor explain why other methods, such as disciplinary action against employees found to be abusing the system, were not appropriate. The ICO was similarly not persuaded by Serco’s legitimate interest arguments, concluding that the processing of biometric data was not necessary to fulfil Serco’s legitimate interest of ensuring it paid its employees the correct salary for the time they worked. In particular, the ICO noted that legitimate interests will not apply if the same result can be reasonably achieved in another less intrusive way.
Special Category Personal Data Processing Condition – Article 9
Serco and the trusts had further sought to rely on Article 9(2)(b) as their processing condition for special category data, i.e., that the processing was necessary to carry out employment law obligations/exercise employment law rights. The ICO noted that Serco and the trusts had initially failed (both when they began processing data using biometric technology and during the ICO’s investigation) to identify the specific legal obligations/rights relied upon, only later relying on the Working Time Regulations 1998 and the Employment Rights Act 1996. The ICO commented that the Article 9(2)(b) condition does not cover processing to meet purely contractual employment rights or obligations and further noted that Serco and the trusts had failed to demonstrate the necessity of processing biometric data for the purpose of employee attendance checks or to comply with the laws identified. Serco was further criticised for not having in place an appropriate policy document as required by the UK Data Protection Act 2018.[3]
Lawful, Fair, and Transparent Processing – Article 5
Considering the above, the ICO concluded that Serco and the trusts had unlawfully processed biometric data in contravention of Article 5(1)(a) of the UK GDPR. Further, Serco and the trusts had failed to process personal data fairly. The ICO commented that the processing of biometric data is highly intrusive and has the potential to cause distress to data subjects. Alternative mechanisms for logging attendance had not been sufficiently brought to Serco employees’ attention; rather, employees were “expected” to use biometric technology and could be subject to disciplinary action if they refused. The ICO further concluded that, due to the imbalance of power between Serco and its employees, it was unlikely that employees would feel able to object to such processing in any event.
Terms of the Notices
As a result of the Notices, within three months, Serco and the trusts must cease processing biometric data for the purpose of employment attendance checks and must destroy all biometric data that they are not legally obliged to retain.
Commenting on the Notices, John Edwards, the UK information commissioner, stated, “This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.” [4]
The ICO’s New Guidance on the Use of Biometric Recognition Systems
The Notices were issued on the same day that the ICO published new guidance on the use of biometric recognition systems. The ICO’s guidance explains how data protection law applies to the use of such systems and covers, amongst other things:
-
- How to process biometric data lawfully and fairly.
- How the accuracy principle applies to biometric data.
- How to ensure the processing of biometric data is transparent.
- How to deal with data subject rights requests for biometric data.
- How to keep biometric data secure.
As to how organisations can process biometric data lawfully, the guidance notes that explicit consent is likely to be the most appropriate condition available. The ICO does appreciate, however, that consent can be difficult to obtain in an employer-employee context as employees may feel they have no choice but to agree.[5] The ICO comments that this does not mean that employers can never rely on consent, but that they need to carefully consider the specific scenario in order to ensure they can offer a genuine choice without detriment. In order to rely on any lawful basis other than consent, organisations must be able to demonstrate that processing biometric data is “necessary” to achieve their overall purposes. Whilst necessity does not mean that the processing of the data much be absolutely essential, it does need to be more than just useful or desirable.
In connection with the fairness principle, the guidance states that whether biometric recognition systems are effective depends on their statistical accuracy. If organisations do not address the risk of inaccuracy, they may contravene the fairness principle and other equalities legislation. The guidance notes, for example, that biometric recognition systems should be tested for bias and, if detected, such bias should be mitigated.
As with all personal data, the guidance provides that organisations must implement appropriate security measures when using biometric data. Given the sensitive nature of biometric data, and the risks associated with unauthorised access by nefarious actors, “appropriate” is a higher bar than for personal data more generally. The guidance states that organisations must encrypt any biometric data they use and should consider the use of privacy enhancing technologies (PETs).
Commenting on the guidance, John Edwards said, “Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”[6]
Lessons
With the use of biometric technology becoming increasingly common, organisations must ensure they do not fall foul of UK and European data protection legislation. Some of the key lessons that organisations can take from the Serco Notices and the ICO’s new guidance include:
- When not relying on consent as the lawful basis for processing biometric data, it is crucial to consider whether the processing is “necessary”. Organisations must ensure that they have considered whether other less intrusive means could be used and must clearly document and evidence why such alternative means are not appropriate.
- When relying on consent or legitimate interests as the lawful basis for processing biometric data, organisations must offer alternative options to those that decline to provide consent/object to the processing of such data.
- When relying on Article 9(2)(b) as the special category condition to process biometric data for employment purposes, prior to processing such data, organisations must clearly identify the laws that contain the right/obligation requiring such processing.
-
Connected with the above, robust data protection impact assessments[7] must be completed prior to the processing of biometric data via biometric recognition systems.
-
Where biometric data is being processed in an employment context, such as for employee monitoring, organisations must ensure they have appropriate policy documents in place.
-
Organisations that are processing biometric data must have more robust security measures in place.
[1] Physical access cards that use radio frequency to grant access to a particular area or individual.
[2] Under Article 9(1) of the UK GDPR, biometric data is classified as “special category personal data” requiring additional safeguards for it to be lawfully processed.
[3] Schedule 1, Part 1, paragraph 1(1)(b), which relates to the processing of special category personal data in an employment context.
[5] In order to be valid, the UK GDPR requires that consent be “freely given” (Article 4(11)).
[7] An assessment of the impact that the proposed processing operation will have on the protection of personal data.
Footnotes
[1] Physical access cards that use radio frequency to grant access to a particular area or individual.
[2] Under Article 9(1) of the UK GDPR, biometric data is classified as “special category personal data” requiring additional safeguards for it to be lawfully processed.
[3] Schedule 1, Part 1, paragraph 1(1)(b), which relates to the processing of special category personal data in an employment context.
[5] In order to be valid, the UK GDPR requires that consent be “freely given” (Article 4(11)).
[7] An assessment of the impact that the proposed processing operation will have on the protection of personal data.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
On 23 February 2024, the UK’s data protection regulator, the Information Commissioner’s Office (ICO) issued Enforcement Notices (the Notices) to Serco Leisure Operating Limited, Serco Jersey Limited (together, Serco) and seven associated community leisure trusts. The Notices ordered Serco and the trusts to stop using facial recognition technology and fingerprint scanning to monitor employee attendance. On the same day, the ICO published new guidance on the use of Biometric Recognition Systems. As the use of biometric technology increases, organisations should be mindful not to fall foul of UK and European data protection legislation.
The Serco Enforcement Notices
Serco operates leisure facilities on behalf of community leisure trusts and local authorities across the UK and Jersey. Since May 2017, Serco has been using facial recognition technology and fingerprint scanning technology for the purpose of employment attendance checks and subsequent payment for employees’ timed work. From its introduction, Serco has processed the biometric data of more than 2,000 employees at 38 leisure facilities across the UK and Jersey. Serco began using biometric technology as it considered that previous systems (which included manual sign-in sheets and radio-frequency ID cards (RFID cards)[1] ) were prone to human error and abuse by employees (via buddy punching and falsified timecards).
Contraventions
The ICO commenced its investigation into Serco and the trusts at the end of December 2019, after an employee of the ICO observed facial recognition technology being used at a facility managed by Serco. On 23 February 2024, the ICO found Serco and the trusts to be in breach of Articles 5(1)(a), 6 and 9 of the UK GDPR, as they had failed to establish a lawful basis and special category personal data[2] processing condition for the processing of biometric data.
Article 5(1)(a) of the UK GDPR enshrines the principle that personal data shall be processed lawfully, fairly, and in a transparent manner. Article 6 sets out six ‘lawful bases’ on which organisations can rely to process personal data lawfully. Where special category data is concerned, Article 9 provides for ten possible conditions on which organisations must further rely to lawfully process such data.
Lawful Basis for Processing – Article 6
As to the lawful bases for processing biometric data, Serco and the trusts purported to rely on contractual necessity and legitimate interests (Articles 6(1)(b) and 6(1)(f) of the UK GDPR). Whilst the ICO agreed that recording employee attendance times was necessary for Serco to fulfil its contractual obligation to pay employees, it did not consider that the processing of biometric data was necessary to achieve this purpose. Less intrusive means could be used to verify attendance such as RFID cards/fobs or manual timesheets, which Serco had failed to demonstrate were not appropriate. Despite Serco’s assertions that such alternative methods were open to abuse, the ICO noted that Serco had been unable to provide evidence of widespread abuse, nor explain why other methods, such as disciplinary action against employees found to be abusing the system, were not appropriate. The ICO was similarly not persuaded by Serco’s legitimate interest arguments, concluding that the processing of biometric data was not necessary to fulfil Serco’s legitimate interest of ensuring it paid its employees the correct salary for the time they worked. In particular, the ICO noted that legitimate interests will not apply if the same result can be reasonably achieved in another less intrusive way.
Special Category Personal Data Processing Condition – Article 9
Serco and the trusts had further sought to rely on Article 9(2)(b) as their processing condition for special category data, i.e., that the processing was necessary to carry out employment law obligations/exercise employment law rights. The ICO noted that Serco and the trusts had initially failed (both when they began processing data using biometric technology and during the ICO’s investigation) to identify the specific legal obligations/rights relied upon, only later relying on the Working Time Regulations 1998 and the Employment Rights Act 1996. The ICO commented that the Article 9(2)(b) condition does not cover processing to meet purely contractual employment rights or obligations and further noted that Serco and the trusts had failed to demonstrate the necessity of processing biometric data for the purpose of employee attendance checks or to comply with the laws identified. Serco was further criticised for not having in place an appropriate policy document as required by the UK Data Protection Act 2018.[3]
Lawful, Fair, and Transparent Processing – Article 5
Considering the above, the ICO concluded that Serco and the trusts had unlawfully processed biometric data in contravention of Article 5(1)(a) of the UK GDPR. Further, Serco and the trusts had failed to process personal data fairly. The ICO commented that the processing of biometric data is highly intrusive and has the potential to cause distress to data subjects. Alternative mechanisms for logging attendance had not been sufficiently brought to Serco employees’ attention; rather, employees were “expected” to use biometric technology and could be subject to disciplinary action if they refused. The ICO further concluded that, due to the imbalance of power between Serco and its employees, it was unlikely that employees would feel able to object to such processing in any event.
Terms of the Notices
As a result of the Notices, within three months, Serco and the trusts must cease processing biometric data for the purpose of employment attendance checks and must destroy all biometric data that they are not legally obliged to retain.
Commenting on the Notices, John Edwards, the UK information commissioner, stated, “This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.” [4]
The ICO’s New Guidance on the Use of Biometric Recognition Systems
The Notices were issued on the same day that the ICO published new guidance on the use of biometric recognition systems. The ICO’s guidance explains how data protection law applies to the use of such systems and covers, amongst other things:
-
- How to process biometric data lawfully and fairly.
- How the accuracy principle applies to biometric data.
- How to ensure the processing of biometric data is transparent.
- How to deal with data subject rights requests for biometric data.
- How to keep biometric data secure.
As to how organisations can process biometric data lawfully, the guidance notes that explicit consent is likely to be the most appropriate condition available. The ICO does appreciate, however, that consent can be difficult to obtain in an employer-employee context as employees may feel they have no choice but to agree.[5] The ICO comments that this does not mean that employers can never rely on consent, but that they need to carefully consider the specific scenario in order to ensure they can offer a genuine choice without detriment. In order to rely on any lawful basis other than consent, organisations must be able to demonstrate that processing biometric data is “necessary” to achieve their overall purposes. Whilst necessity does not mean that the processing of the data much be absolutely essential, it does need to be more than just useful or desirable.
In connection with the fairness principle, the guidance states that whether biometric recognition systems are effective depends on their statistical accuracy. If organisations do not address the risk of inaccuracy, they may contravene the fairness principle and other equalities legislation. The guidance notes, for example, that biometric recognition systems should be tested for bias and, if detected, such bias should be mitigated.
As with all personal data, the guidance provides that organisations must implement appropriate security measures when using biometric data. Given the sensitive nature of biometric data, and the risks associated with unauthorised access by nefarious actors, “appropriate” is a higher bar than for personal data more generally. The guidance states that organisations must encrypt any biometric data they use and should consider the use of privacy enhancing technologies (PETs).
Commenting on the guidance, John Edwards said, “Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”[6]
Lessons
With the use of biometric technology becoming increasingly common, organisations must ensure they do not fall foul of UK and European data protection legislation. Some of the key lessons that organisations can take from the Serco Notices and the ICO’s new guidance include:
- When not relying on consent as the lawful basis for processing biometric data, it is crucial to consider whether the processing is “necessary”. Organisations must ensure that they have considered whether other less intrusive means could be used and must clearly document and evidence why such alternative means are not appropriate.
- When relying on consent or legitimate interests as the lawful basis for processing biometric data, organisations must offer alternative options to those that decline to provide consent/object to the processing of such data.
- When relying on Article 9(2)(b) as the special category condition to process biometric data for employment purposes, prior to processing such data, organisations must clearly identify the laws that contain the right/obligation requiring such processing.
-
Connected with the above, robust data protection impact assessments[7] must be completed prior to the processing of biometric data via biometric recognition systems.
-
Where biometric data is being processed in an employment context, such as for employee monitoring, organisations must ensure they have appropriate policy documents in place.
-
Organisations that are processing biometric data must have more robust security measures in place.
The Serco Enforcement Notices
Serco operates leisure facilities on behalf of community leisure trusts and local authorities across the UK and Jersey. Since May 2017, Serco has been using facial recognition technology and fingerprint scanning technology for the purpose of employment attendance checks and subsequent payment for employees’ timed work. From its introduction, Serco has processed the biometric data of more than 2,000 employees at 38 leisure facilities across the UK and Jersey. Serco began using biometric technology as it considered that previous systems (which included manual sign-in sheets and radio-frequency ID cards (RFID cards)[1] ) were prone to human error and abuse by employees (via buddy punching and falsified timecards).
Contraventions
The ICO commenced its investigation into Serco and the trusts at the end of December 2019, after an employee of the ICO observed facial recognition technology being used at a facility managed by Serco. On 23 February 2024, the ICO found Serco and the trusts to be in breach of Articles 5(1)(a), 6 and 9 of the UK GDPR, as they had failed to establish a lawful basis and special category personal data[2] processing condition for the processing of biometric data.
Article 5(1)(a) of the UK GDPR enshrines the principle that personal data shall be processed lawfully, fairly, and in a transparent manner. Article 6 sets out six ‘lawful bases’ on which organisations can rely to process personal data lawfully. Where special category data is concerned, Article 9 provides for ten possible conditions on which organisations must further rely to lawfully process such data.
Lawful Basis for Processing – Article 6
As to the lawful bases for processing biometric data, Serco and the trusts purported to rely on contractual necessity and legitimate interests (Articles 6(1)(b) and 6(1)(f) of the UK GDPR). Whilst the ICO agreed that recording employee attendance times was necessary for Serco to fulfil its contractual obligation to pay employees, it did not consider that the processing of biometric data was necessary to achieve this purpose. Less intrusive means could be used to verify attendance such as RFID cards/fobs or manual timesheets, which Serco had failed to demonstrate were not appropriate. Despite Serco’s assertions that such alternative methods were open to abuse, the ICO noted that Serco had been unable to provide evidence of widespread abuse, nor explain why other methods, such as disciplinary action against employees found to be abusing the system, were not appropriate. The ICO was similarly not persuaded by Serco’s legitimate interest arguments, concluding that the processing of biometric data was not necessary to fulfil Serco’s legitimate interest of ensuring it paid its employees the correct salary for the time they worked. In particular, the ICO noted that legitimate interests will not apply if the same result can be reasonably achieved in another less intrusive way.
Special Category Personal Data Processing Condition – Article 9
Serco and the trusts had further sought to rely on Article 9(2)(b) as their processing condition for special category data, i.e., that the processing was necessary to carry out employment law obligations/exercise employment law rights. The ICO noted that Serco and the trusts had initially failed (both when they began processing data using biometric technology and during the ICO’s investigation) to identify the specific legal obligations/rights relied upon, only later relying on the Working Time Regulations 1998 and the Employment Rights Act 1996. The ICO commented that the Article 9(2)(b) condition does not cover processing to meet purely contractual employment rights or obligations and further noted that Serco and the trusts had failed to demonstrate the necessity of processing biometric data for the purpose of employee attendance checks or to comply with the laws identified. Serco was further criticised for not having in place an appropriate policy document as required by the UK Data Protection Act 2018.[3]
Lawful, Fair, and Transparent Processing – Article 5
Considering the above, the ICO concluded that Serco and the trusts had unlawfully processed biometric data in contravention of Article 5(1)(a) of the UK GDPR. Further, Serco and the trusts had failed to process personal data fairly. The ICO commented that the processing of biometric data is highly intrusive and has the potential to cause distress to data subjects. Alternative mechanisms for logging attendance had not been sufficiently brought to Serco employees’ attention; rather, employees were “expected” to use biometric technology and could be subject to disciplinary action if they refused. The ICO further concluded that, due to the imbalance of power between Serco and its employees, it was unlikely that employees would feel able to object to such processing in any event.
Terms of the Notices
As a result of the Notices, within three months, Serco and the trusts must cease processing biometric data for the purpose of employment attendance checks and must destroy all biometric data that they are not legally obliged to retain.
Commenting on the Notices, John Edwards, the UK information commissioner, stated, “This action serves to put industry on notice that biometric technologies cannot be deployed lightly. We will intervene and demand accountability, and evidence that they are proportional to the problem organisations are seeking to solve.” [4]
The ICO’s New Guidance on the Use of Biometric Recognition Systems
The Notices were issued on the same day that the ICO published new guidance on the use of biometric recognition systems. The ICO’s guidance explains how data protection law applies to the use of such systems and covers, amongst other things:
-
- How to process biometric data lawfully and fairly.
- How the accuracy principle applies to biometric data.
- How to ensure the processing of biometric data is transparent.
- How to deal with data subject rights requests for biometric data.
- How to keep biometric data secure.
As to how organisations can process biometric data lawfully, the guidance notes that explicit consent is likely to be the most appropriate condition available. The ICO does appreciate, however, that consent can be difficult to obtain in an employer-employee context as employees may feel they have no choice but to agree.[5] The ICO comments that this does not mean that employers can never rely on consent, but that they need to carefully consider the specific scenario in order to ensure they can offer a genuine choice without detriment. In order to rely on any lawful basis other than consent, organisations must be able to demonstrate that processing biometric data is “necessary” to achieve their overall purposes. Whilst necessity does not mean that the processing of the data much be absolutely essential, it does need to be more than just useful or desirable.
In connection with the fairness principle, the guidance states that whether biometric recognition systems are effective depends on their statistical accuracy. If organisations do not address the risk of inaccuracy, they may contravene the fairness principle and other equalities legislation. The guidance notes, for example, that biometric recognition systems should be tested for bias and, if detected, such bias should be mitigated.
As with all personal data, the guidance provides that organisations must implement appropriate security measures when using biometric data. Given the sensitive nature of biometric data, and the risks associated with unauthorised access by nefarious actors, “appropriate” is a higher bar than for personal data more generally. The guidance states that organisations must encrypt any biometric data they use and should consider the use of privacy enhancing technologies (PETs).
Commenting on the guidance, John Edwards said, “Our latest guidance is clear that organisations must mitigate any potential risks that come with using biometric data, such as errors identifying people accurately and bias if a system detects some physical characteristics better than others.”[6]
Lessons
With the use of biometric technology becoming increasingly common, organisations must ensure they do not fall foul of UK and European data protection legislation. Some of the key lessons that organisations can take from the Serco Notices and the ICO’s new guidance include:
- When not relying on consent as the lawful basis for processing biometric data, it is crucial to consider whether the processing is “necessary”. Organisations must ensure that they have considered whether other less intrusive means could be used and must clearly document and evidence why such alternative means are not appropriate.
- When relying on consent or legitimate interests as the lawful basis for processing biometric data, organisations must offer alternative options to those that decline to provide consent/object to the processing of such data.
- When relying on Article 9(2)(b) as the special category condition to process biometric data for employment purposes, prior to processing such data, organisations must clearly identify the laws that contain the right/obligation requiring such processing.
-
Connected with the above, robust data protection impact assessments[7] must be completed prior to the processing of biometric data via biometric recognition systems.
-
Where biometric data is being processed in an employment context, such as for employee monitoring, organisations must ensure they have appropriate policy documents in place.
-
Organisations that are processing biometric data must have more robust security measures in place.
[1] Physical access cards that use radio frequency to grant access to a particular area or individual.
[2] Under Article 9(1) of the UK GDPR, biometric data is classified as “special category personal data” requiring additional safeguards for it to be lawfully processed.
[3] Schedule 1, Part 1, paragraph 1(1)(b), which relates to the processing of special category personal data in an employment context.
[5] In order to be valid, the UK GDPR requires that consent be “freely given” (Article 4(11)).
[7] An assessment of the impact that the proposed processing operation will have on the protection of personal data.
Footnotes
[1] Physical access cards that use radio frequency to grant access to a particular area or individual.
[2] Under Article 9(1) of the UK GDPR, biometric data is classified as “special category personal data” requiring additional safeguards for it to be lawfully processed.
[3] Schedule 1, Part 1, paragraph 1(1)(b), which relates to the processing of special category personal data in an employment context.
[5] In order to be valid, the UK GDPR requires that consent be “freely given” (Article 4(11)).
[7] An assessment of the impact that the proposed processing operation will have on the protection of personal data.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Podcasts
Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast
Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.
July 15, 2026
Publications
Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report
Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.
July 14, 2026
Publications
Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law
Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.
July 7, 2026
Publications
In New York Law Journal, The True Lender Doctrine and the OppFi Decision
Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.
July 1, 2026
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026