Serco Leisure [1] [2] [3] [4] [5] [6] [7], a subsidiary of Serco Group [5], has been directed by the UK’s data protection enforcement authority, the Information Commissioner’s Office (ICO) [1] [2] [3] [4] [5] [6] [7], to cease the use of facial recognition technology and fingerprint scanning for monitoring employee attendance at leisure centres [3] [4] [5].


The ICO found that Serco unlawfully processed biometric data of more than 2,000 employees across 38 facilities without providing justification for the necessity or proportionality of such technology [6]. Employees were not offered alternative methods for clocking in and out [6], raising concerns about the power dynamic between the company and its workers [6]. In response, the ICO issued enforcement notices to halt processing biometric data and to delete any data not legally required to retain within three months [4]. This marks the first instance of the ICO taking action against an employer for processing staff biometric data [5]. John Edwards [2] [3] [4] [5] [7], the UK information commissioner [2] [3] [4] [5] [6] [7], criticized Serco Leisure for neglecting to assess the risks associated with implementing biometric technology and failing to provide alternatives to staff. The ICO has updated its guidance on the use of biometric data and will intervene in cases of unlawful data usage. Madeleine Stone from Big Brother Watch welcomed the enforcement notice but expressed worries about the growing use of biometric surveillance in workplaces and public areas [5]. Serco Leisure defended the technology’s implementation as a way to simplify employee clocking in and out, citing external legal advice that supported its use. The company has committed to complying with the enforcement notice and anticipates clearer guidelines on processing biometric data.


The enforcement notice issued by the ICO against Serco Leisure highlights the importance of assessing risks and providing alternatives when implementing biometric technology. This case sets a precedent for future actions against unlawful data usage, emphasizing the need for companies to prioritize data protection and privacy in their operations.