Biometric Data – Personal Data – what are your responsibilities?

Employee scanning finger for work ID purpose

If you monitor your employees or are considering doing so, this article is a must read for you.

At the end of 2023, the ICO (Information Commissioner’s Office –, issued new guidance on ‘Employment practices and data protection: monitoring workers’.

While monitoring employees in some circumstances is required both to protect both employers, employees and service users; employers need to avoid undue intrusion. The information ‘collected’ is likely to be personal data and therefore protected under data protection legislation.

Personal data must be only collected or processed for specified, explicit and legitimate purposes. For example, vehicle tracking for health and safety purposes, CCTV for security reasons, recording telephone calls for training.

Biometric data

Using biometric systems such as facial or voice recognition, fingerprint, or iris scanning, is on the increase. It can enhance security (such as reducing access to a restricted area) and efficiency (by reducing the need for passwords or key cards, etc.) and also help monitor employee productivity (such as tracking activity).

However, biometric information is classed as special category data. Therefore, employers will need to carry out a DPIA Data protection impact assessments | ICO (including informing and consulting with staff) before carrying out the monitoring and satisfy a special category condition before doing so.

Explicit consent will be, in most cases, the only relevant condition and this can be hard to satisfy. To do so, the ICO guidance says that workers must provide this in a clear (written or verbal) statement and must have a genuine option to withhold consent with no negative consequence. Serco Leisure did not do this and received an enforcement notice from the ICO.

Facial Recognition Software – Serco Leisure monitoring employee attendance

Serco Leisure used facial recognition and fingerprint scanning technology to monitor employee attendance, which was a requirement for the employee to be paid.

Serco did not carry out a DPIA Data protection impact assessments | ICO before introducing these systems nor offer staff an alternation to the biometric scanning.

The ICO issued Serco with an enforcement notice and ordered it to stop using the technology. It said that a lack of an alternative meant there was an ‘imbalance in power’ between Serco and its employees and that they were ‘unlikely to feel they would feel able to say no’ to its use.

Serco had failed to show why the technology was necessary or proportionate when there were less intrusive means available such as ID cards or fobs.

The ICO took this action in the same week it published new guidance for organisations on how they can process biometric data lawfully.

The guidance is available at

While, Guildford HR are not specialists, but work with a range of employers to support them during the implementation of their Data Protection Policies.

If you would like to discuss the ICO guidelines, including Employee Monitoring, contact us on 01483 362732 or

Source ICO: