| 
Biometric Monitoring in the Workplace: A High-Risk Area for Employers
Adrian Fryer
Biometric monitoring – tools that identify individuals through fingerprints, facial recognition, voice patterns or other biological traits – is becoming increasingly common in workplaces seeking efficient access control, timekeeping, or security. But the legal and ethical risks associated with biometrics are substantial. These technologies collect special category data, meaning they trigger the highest level of protection under the UK GDPR.
Employers considering biometrics need to understand both the benefits and the pitfalls before rolling out any system.
Why Biometrics are high-risk
Biometric data is inherently sensitive. It can reveal personal attributes, is unique to the individual, and cannot easily be changed if compromised. That’s why the GDPR treats biometrics as special category data, requiring employers to meet:
- A lawful basis for processing
- A separate special category condition, such as health and safety, substantial public interest, or explicit consent.
Because biometrics are generally not essential for most roles, it is often difficult to rely on any basis other than explicit consent — and consent is notoriously problematic in employment due to the imbalance of power.
The Serco case: A cautionary tale
The ICO’s enforcement action against Serco earlier this year is a stark warning. Serco implemented facial recognition and fingerprint scanning to monitor staff attendance without:
- properly assessing privacy risks;
- demonstrating that biometrics were necessary; or
- considering alternatives, such as ID cards.
The ICO ordered Serco to stop using the technology, delete most of the biometric data, and comply within three months — a strong signal that biometric monitoring will face serious scrutiny.
Justifying biometric monitoring
Where biometric data is genuinely necessary – such as in high-security environments – employers must:
- conduct a Data Protection Impact Assessment (DPIA)
- assess whether a less intrusive option exists
- explain clearly why biometrics are required
- ensure staff have a genuine alternative option (e.g. a key card)
- restrict access to data and store it securely
- keep retention periods short and well-defined
Transparency and choice are essential
Because biometrics are deeply personal, employees must understand what is being collected and why. If employers cannot offer staff a meaningful choice over whether to participate – without detriment – biometrics will rarely be lawful.
Proceed with caution
Biometric monitoring is an area where technological convenience often clashes with legal risk. Employers should proceed carefully, documenting every decision, prioritising alternatives, and remembering that “high-tech” doesn’t automatically equal “lawful”.