This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 2 minute read

The ICO refereeing biometric data

When you hear ‘biometric data’, you probably think of the facial recognition technology you use to unlock your smartphone.

But it’s much broader than that, covering many other technologies, many of which are already in widespread use. For example, your Saturday trip to watch the North London derby will involve biometric data at almost every stage: before buying the tickets, your banking app might verify your identity using your voice; when walking through Kings Cross on the way to the stadium facial recognition cameras will monitor public safety; once you reach the stadium, police surveillance vans will be scanning the crowd for known criminals; and during the match itself, sports scientists will be analysing players’ gaits to track performance and fatigue. 

With so much interest in biometric technology, it’s no surprise that this has caught the eye of the ICO, which is seeking to referee this emerging league of technology.

The ICO lays down the rules of the game 

The ICO published new guidance on processing biometric data in February of this year, which has, amongst other things, reinforced the distinction between biometric data and special category biometric data. This distinction, based on whether biometric data is used to uniquely identify an individual, may give some comfort to those processing biometric data for purposes other than identification since the requirement to have an Article 9 GDPR condition only applies when processing special category biometric data. Avoiding having to jump over the Article 9 hurdles makes running the compliance program much more straightforward.

Serco Leisure – The ICO flexes sits muscles 

Serco Leisure ended up in hotter water than the local swimming pool after an ICO employee’s trip to a leisure centre ended up in an enforcement notice being issued against them. The ICO ordered it to stop using facial recognition and fingerprint scanning technologies to monitor employee attendance. 

While no monetary penalty was issued, the ICO was critical of Serco Leisure’s inability to justify why less intrusive alternatives, such as ID cards and fobs, would have been ineffective Given that lawful bases other than consent require the controller to justify why the processing is necessary, it’s crucial to consider whether any less intrusive alternatives might do the job just as well. 

The ICO also showed Serco Leisure a red card for failing to offer data subjects an opt-out or providing an alternative for employees who raised privacy concerns – something deployment of biometric technologies often requires, particularly in an employment context, where there is generally a power imbalance. 

This isn’t a cameo regulatory intervention by the ICO either, having already fined d
Clearview AI more than £7.5m in 2022 for unlawful processing of biometric data for facial recognition purposes (although the fine has since been overturned, subject to a further appeal by the ICO).

With the development and uptake of biometric technologies likely to continue, we expect that this is an area that the ICO will be keeping a particularly close eye on over the next twelve months.

This article is part of our Data Protection Top 10 2024 publication.

Subscribe to receive our latest insights - on the topics that matter most to you - direct to your inbox, at your preferred frequency. Subscribe here

Tags

dptop10_2024, article