back to article Data watchdog tells off outsourcing giant for scanning staff biometrics despite 'power imbalance'

A data protection watchdog in the UK has issued an enforcement notice to stop Serco from using facial recognition tech and fingerprint scanning to monitor staff at 38 leisure centers it runs. During an investigation, the Information Commissioner's Office, Britain's regulator set up to enforce data protection law, found Serco …

  1. Bendacious

    Pull your finger out

    Much as I hate these huge outsourcing companies, I think the ICO has to share some blame here. Not issuing clear guidance around the use of biometrics until 2024 is a dereliction of duty (In my not so humble opinion). The ICO have chosen not to fine Serco in this case because "the Commissioner considers that the resulting infringements are negligent [rather than deliberate]. Serco appears to have sought to comply with data protection legislation in its deployment of biometric technology, but its failure to meet these requirements indicates a lack of understanding of the UK GDPR" - https://ico.org.uk/media/action-weve-taken/enforcement-notices/4028590/20240219-serco-leisure-operating-limited-en.pdf

    Serco stated: “Despite being aware of Serco Leisure’s use of this technology for some years, the ICO have only this week issued an enforcement notice and requested that we take action. We now understand this coincides with the publication of new guidance for organisations on processing of biometric data which we anticipate will provide greater clarity in this area."

    I'd be curious if the ICO had been nudged to not issue guidance beforehand. Use of facial recognition in the UK seems to be on the basis that the government will look the other way for as long as it possibly can.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pull your finger out

      Serco's spin is a little rich... not getting caught/charged doesn't make it was OK and it was already obvious that what they did was wrong. The updated guidance is a nice to have but not an excuse for screwing over their employees until now.

      Nice try though.....

      As for the authorities letting them off with a sternly worded letter... I'm at a loss for words!

  2. Joe-Thunks

    Pathetic response from the ICO

    It's a useless quango led by the limpest of limp-wristed nonentities. It has no credibility. The ICO would win the 'waggiest finger' medal for the so-called work it does.

    1. Colin Bull 1
      Mushroom

      Re: Pathetic response from the ICO

      I think Ofcom would probably edge this one. How many years has it taken them to think mid term hyper inflationary price rises were acceptable. Still out for consultation?

      TPS has been outsourced so as to have deniability - that is now a 100% waste of time. Every complaint has the same response. We "cannot be sure this is the company you are complaining about". Even when you have a verified email from the spamming fuckers.

  3. Cynical Pie

    Despite the lack of published guidance the ICO's position on biometrics has been clear since I worked there in the early 2000's - dont use it if there are more proportionate or reasonable options.

    In this case its clearly disproportionate

    1. Woodnag

      It's worse than that. Here's the actual notice from https://ico.org.uk/action-weve-taken/enforcement/serco-leisure-operating-limited-and-relevant-associated-trusts/

      TERMS OF THE ENFORCEMENT NOTICE

      By no later than the date three months from the date of the Enforcement Notice Serco shall take the following steps:

      1. Cease all processing of biometric data for the purpose of employment attendance checks from all Relevant Facilities (and not implement biometric technology at any further facilities).

      2. Destroy all biometric data and all other personal and special category data that Serco is not legally obliged to retain, including any such data stored by, or on behalf of Serco (including instructing SWT Software Limited to delete any such data held on behalf of Serco).

      The destroy instruction is very vague. ICO really don't know what Serco is "legally obliged to retain"? Why is any of this illegally grabbed bio data under some unstated retention requirement?

      1. Graham Cobb Silver badge

        I am guessing the "legally obliged" bit is about checks for employees. Certainly passports, and I guess probably some "safeguarding" checks for some roles. I assume it is worded like that so Serco can't keep some of the data "just in case" (or because they aren't quite sure why they have it) - it has to be "legally obliged" in order to keep it.

  4. Anonymous Coward
    Anonymous Coward

    The Real Problem.......

    .....is not the law, or the ICO.......................

    Remember the word "enforcement"?

    When I see MANY C-level excutives in jail....when I see MANY million pound or million euro fines....then I might start to believe that GDPR is more than a bad joke!!!!!

  5. ecofeco Silver badge
    Mushroom

    All the cool kids are doing it!

    https://www.wired.com/story/facial-recognition-vending-machine-error-investigation/

    Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting face recognition data without their consent.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like