By Becky Hall, Information Governance Manager, Naomi Korn Associates
Biometric systems can be useful tools when applied with due consideration for the individuals involved, and the associated privacy risks. Biometric systems include fingerprint scanner, iris scanners and facial recognition technology that is sometimes used in CCTV systems.
A practical application of this technology can be seen in schools where fingerprints are offered as an alternative to lunch cards as they can’t be forgotten or left at home and ensures that pupils can access a lunch time meal. An alternative card easily be offered to those who don’t wish for their fingerprints to be used in such a way. In this scenario, an alternative to the biometric system is offered and there is a clear benefit to introducing the system. The use of fingerprints in this way is more proportional than facial recognition as it is less invasive and poses fewer risks as individuals can’t be profiled or discriminated against, which is a risk when using facial recognition.[1]
However, the use of facial recognition technology for day-to-day tasks can be seen as excessive and not proportionate. This is seen in the ICO response to a leisure company, Serco, using facial recognition technology for monitoring staff, most notably their attendance in the workplace and stated ‘Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees’ privacy’.[2] Business should not make decisions without considering the implications on their staff, as well as the balance of power that they hold as employers. It is recognised that in a work setting consent is not an appropriate legal basis for processing employee data as a result of this imbalance and it is unlikely that contract would be an appropriate basis in this instance.
There are a variety of other ways in which staff can ‘clock in’ for work as this has been common practice in workplaces for years and therefore it is hard to see why biometric data needs to be used in such a way by a leisure company. This is not to say that for an organisation working within a heavily regulated environment biometrics for registering staff attendance would not be a proportionate response if this was properly reviewed and documented. It does demonstrate, however, that the use of such technology needs to be proportionate to an organisations business needs and technology should not be used just because it can be.
It is important to make sure that you are using technology that meets your business needs and is a genuine improvement on the current processes. The risks of using biometric systems needs to be properly considered, including the implications of a data breach, as this sort of data isn’t replaceable in the same that a password or username is. Consent must also be sought before using an individual’s biometric data for identification purposes, and an alternative must be offered if consent is not provided. A data protection impact assessment is the best way to reflect on any projects that involve biometric systems and their risks and can show that these have been considered prior to implementation. The ICO has published guidance on biometric data to support those who are using, or wishing to use, within their organisation.[3]
Naomi Korn Associates provides a range of services to support organisations in complying with their requirements as set out in data protection law. If your business is thinking of introducing biometric systems we can work with you to ensure the privacy considerations are addressed at the design stage. We also have a fantastic range of courses including Privacy by Design: Data Protection Impact Assessments (DPIA) which would equip delegates with the knowledge they need to introduce new systems in a privacy complaint way.
[1] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/cctv-and-video-surveillance/guidance-on-video-surveillance-including-cctv/case-study/
[2] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/02/ico-orders-serco-leisure-to-stop-using-facial-recognition-technology/
[3] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/
The post Facial Recognition Fiasco – Privacy considerations of Biometric systems appeared first on Naomi Korn Associates.
