Data security
As we become more accustomed to using our faces or fingerprints to unlock devices in our everyday life, it’s not surprising that UK employers are considering using biometric systems in the workplace. However, employers need to address the significant challenges involved with using biometric data.

Employers are beginning to see the potential benefits of using biometric systems, such as facial recognition and fingerprint access systems, in the workplace. These include enhancing security (such as reducing access to a restricted area), ensuring efficiency (such as eliminating the need for passwords, keys, cards) and monitoring employee wellbeing and performance (such as tracking activity, productivity or stress levels).

However, given the nature of biometric data and the sensitivities around its use and importantly, its potential misuse, there are significant challenges to overcome when using biometric systems in the workplace.

Here are our five top tips to help UK employers successfully use biometric data in the workplace.

1. Follow data protection requirements

When employers use biometric data for the purposes of identification, it will be special category personal data. Therefore, as well as needing a lawful basis for processing the personal data, consent is also required before any biometric data is processed.

Leaving the thorny issue of whether an employee can ever truly give informed consent aside, explicit consent is, in many cases, the only lawful basis for processing special category biometric data.

Hand in hand with the need for consent is the need for transparency. It is essential that employees know why their personal data is being collected, the scope of collection and how their personal data will be used.

Employers must ensure that they have a clear purpose for processing biometric data and consider whether the proposed approach is proportionate or if a less intrusive approach could be taken. Employers are encouraged to undertake a Data Protection Impact Assessment when considering whether it will be appropriate to use biometric data.

In our experience, biometric data can successfully be used in the workplace when employees understand the risks, benefits and implications of using such systems, and an ongoing dialogue between the employer and employees is maintained in relation to its use. The Information Commissioner’s Office guidance states that employees who object to the use of biometric data should be offered an alternative and that this alternative “should not disadvantage workers.” It is difficult to know how, in practice, employers can provide an alternative, particularly if they have built a whole system around the use of biometric data, which will be a challenge for employers.

Employers should also have policies that clearly set out the periods for retention and deletion of the biometric data. In line with the data minimisation principle, personal data should only be stored for as long as necessary and for the intended purpose, and secure processes must be in place to ensure deletion of the data.

2. Ensure employees trust your use of biometric data

Once trust is eroded between an employer and an employee it is very difficult to re-establish.

Being open and transparent about why, how, what, where and when employee biometric data is to be used and for what purposes is essential. Some employers also choose to set out how the data will not be used which can give employees confidence that the employer has given serious thought to protecting their data rights.

Consulting with employee councils and trade unions on the scope, purpose, duration of use, collection and storage of biometric data is likely to help build employee trust in the employer.

3. Ensure adequate security controls are in place

Biometric data requires robust security to protect it from unauthorised access, modification or deletion. There are numerous examples of biometric data being lost, e.g., in 2017 a UK construction company lost an unencrypted USB device containing biometric data, including fingerprints. Another example is the Biostar 2 platform breach, which resulted in fingerprints, facial recognition and other personal information being discovered on a publicly accessible database.

The UK’s National Cyber Security Centre published guidance for organisations on how to choose, configure and use devices securely, and this includes guidance on using biometrics. Secure storage, encryption and access controls are essential components of protecting biometric information to minimise (and hopefully prevent) unauthorised access and potential breaches.

4. Address inclusivity, accessibility and bias associated with using biometric data

Biometric systems shouldn’t be introduced without ensuring that they are inclusive and can be effectively used by all employees, including those with a disability. This may, in some circumstances, require employers to consult with employees about possible reasonable adjustments to the system. This may be required when a system requires biometric data that is difficult for some employees to provide.

It is also important to ask questions about inherent bias in biometric systems, and how this is tackled on an ongoing basis. If there is bias in the systems, this may disproportionately affect certain groups. This has been seen with facial recognition systems unable to correctly identify people of one race with the same degree of accuracy as other races, leading to cases of mistaken identity.

If a third-party vendor is providing the technology, accessibility, inclusivity and bias should form part of the due diligence exercise during the procurement process. Should the purchase proceed, the vendor’s obligations and responsibilities should be included in the contract.

5. Stay up-to-date with the developing guidance and legislation

Ethical, legal and privacy issues must be carefully considered when implementing biometrics systems in the workplace and the legislation and guidance in many countries on how best to do this is still in development.

While some countries, including various states in the US, have legislation dealing specifically with biometrics, others rely on their privacy legislation (and related regulatory guidance) e.g., the UK General Data Protection Regulation and the EU General Data Protection Regulation.

Biometric data is defined in the UK General Data Protection Regulation as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.

The UK’s Information Commissioner’s Office considers the test for whether personal data is biometric data as threefold:

(i) does the personal data relate to someone’s appearance, behaviour or observable characteristics e.g., their voice, face, fingerprints, the way they type etc?

(ii) has the personal data been extracted or further analysed using technology e.g., voice analytic software?

(iii) can the personal data uniquely identify the person to whom it relates?

Given the rise in interest in deploying biometric systems, many expected the ICO to act, and in August 2023 the ICO announced it would be drafting guidance on biometric data and biometric technologies. The ICO consulted on the draft biometric data guidance throughout Autumn 2023 and a call for evidence on biometric classification and data protection is expected in early 2024. The draft guidance is, as ever with the ICO, practical in nature – it doesn’t ban the use of biometric data but rather sets out the data protection requirements that need to be complied with. While it is not in final form, it is a useful tool for employers to consult for further information and gives an indication of the ICO’s thinking in this area.

The ICO’s revised Monitoring at Work guidance, published on 3 October 2023, is also useful and relevant for employers where biometric data is used to monitor workers, e.g., fingerprints for access control or time/attendance purposes, facial recognition for device sign on and potentially webcam footage if it is used for the purposes of identification (for more information see our article about the new guidance on monitoring workers).

This guidance states that employers must:

  • be crystal clear about the purpose of monitoring;
  • select the least intrusive means to achieve the purpose; and
  • document why they are monitoring employees and what they intend to do with the information they collect.

It also recommends that an employer carries out a Data Protection Impact Assessment whether it is legally required to or not.

In 2022 the ICO warned about the use of emerging biometric technologies. While we haven’t yet seen any fines handed down for UK breaches, other Data Protection Authorities in Europe have handed down fines for failure to correctly handle biometric data. An example is Budapest Bank’s EUR 700,000 fine for carrying out emotional AI analysis incorrectly.

With UK data reform on the horizon in the form of the Data Protection and Digital Information Bill, employers should keep an eye on the proposed changes this legislation may bring to biometric data projects.

Conclusion

While the idea of using employee biometrics in the workplace to enhance security and efficiency is gaining momentum, the ICO makes it clear that an employer’s business interests must never be prioritised over the privacy of workers.

It is important that any employer thinking about using biometrics in the workplace considers undertaking a Data Protection Impact Assessment, engages with their employees, considers accessibility, inclusion and issues of bias, is open and transparent about the purposes for which the biometric data will be collected and used, and how it will be retained and then deleted.

As new technologies and use cases emerge it will be important to keep up-to-date with new legislation and guidance, especially given the regulatory focus in this area and the new Data Protection and Digital Information Bill, which is on the horizon. It is also essential that employers keep employment policies and practices under review to ensure compliance with evolving law and guidance.

The wider impact of emerging technologies on the world of work are considered in detail in a recent report from our Future of Work Hub Strategic priorities shaping the workforce and HR agenda in 2024 and beyond. Visit our Future of Work Hub to find out more.

Should you have any questions about using biometrics in the workplace, or would like to keep up-to-date with developments in this area, please get in touch with your usual Lewis Silkin contact.

Authors