Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. May 2022
  6. Biometrics in the workplace

Biometrics in the workplace

The authors explain the strict legal standards that apply when an employer seeks to make use of employees’ biometric data, and suggest appropriate safeguarding procedures
13th May 2022 | Loretta Maxfield, Andrew MacQueen

The use of technology that collects biometric data in the workplace is becoming increasingly common. Biometric data are personal data resulting from the technical processing of physical, physiological or behavioural human characteristics, which allow the identification of a living individual. Examples include facial and fingerprint recognition technology used for security purposes or to record time and attendance, or more recently, temperature screenings for COVID precautions. However, the introduction of the UK General Data Protection Regulation (“UK GDPR”) has brought with it an increased awareness of the rights of individuals to their personal data, and as a consequence the use of such technologies in the workplace has come under increased scrutiny.

One of the reasons for this increased scrutiny is that biometric data fall into the higher-risk category of personal data, i.e. a special category of data use of which is susceptible to being viewed as intrusive unless there are clear legitimate grounds for use. Employers are urged to tread carefully prior to processing biometric data, to minimise the risk of falling prey to the UK Information Commissioner's Office enforcement powers which include the ability to issue penalties of up to the greater of 4% of turnover or £18 million. This article will set out some key considerations for employers when using (or contemplating using) biometric technologies in the workplace. 

Purpose and proportionality of processing

There should be a clear purpose for processing this type of personal data. Given it is considered generally quite an intrusive means of processing, employers should consider whether its processing is proportionate or whether its purpose can be achieved via less intrusive means. Undertaking a full data protection impact assessment (“DPIA”) before processing biometric data is highly recommended, and required under the UK GDPR. 

It has become clear through case law and guidance that the processing of biometric data in the workplace needs to meet a high threshold before it is deemed acceptable, as demonstrated in the Amsterdam case of Mansfield Shoe Company, which, while not binding on UK courts, is likely to be considered persuasive. In this judgment, the court considered the company's use of biometric data for employee cash access, clocking-in and clocking-out, and ruled it unlawful on the basis that it did not meet the requirements of Dutch data protection laws; but, more generally, that the processing was not proportionate. While there was a clear purpose, the employer had failed to demonstrate why other less privacy intrusive systems had not been considered and as such failed to identify whether the processing was proportionate. 

While the judgment highlighted that the use of biometrics in the workplace is not forbidden in all cases, it clearly stated that any use would need to meet a high threshold in terms of purpose and proportionality. Any DPIA carried out should clearly consider not just what the employer is trying to achieve but whether the processing is proportionate, i.e. can the same purpose by achieved by less intrusive means?

Lawfulness, fairness and transparency of processing

The UK GDPR requires organisations who wish to process personal data to have a lawful basis (article 6) and valid exception (article 9) to process biometric data. The question of lawfulness can be tricky; consent is unlikely to be an option given the imbalance of power between the employer and employee, and thus any reliance on consent may be deemed invalid.

In fact, the most obvious solution to the matter is often to rely on legitimate interest under article 6, and in terms of article 9, the valid exception of “processing is necessary for the purposes… in employment law”. However, in the case mentioned above, it became clear that the threshold requirements are high, and simply looking at this option as a catch-all solution to the use of biometric data to solve possible problems such as work-related fraud or time and attendance may not be sufficient.

In the UK, employers would also need to consider the requirements of the Data Protection Act 2018. Schedule 1, Part 1, para 1(1) does provide for processing if necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the employer, but to rely on this the employer would need to clearly identify what obligation or right it was exercising, and particular care ought to be given to the necessity of the processing to perform this obligation/right. It is unlikely to be deemed lawful if it can be achieved by other means.

As such, careful attention needs to be taken when looking at the lawful conditions for processing biometric data. It is prudent to examine the lawful conditions available and determine their suitability for processing.

Regardless of what personal data your organisation processes, you should ensure you have a fair and transparent notice to provide to those individuals that it affects – often called a privacy notice. If processing biometric data in the workplace, it is a legal requirement to ensure you notify your employees through the privacy notice of this processing activity. You will need to include information regarding the purpose of processing, the lawful conditions for processing, and details of how the individual can exercise their rights or raise concerns about the processing activity. You must ensure this information is easily available and communicated to all individuals it affects. 

Security risk

The loss of personal data can be devastating for both the organisation processing the personal data and the individual it affects. Given the unique attributes of biometric data, such data loss can have serious consequences for all parties involved. The example of BioStar 2, a Suprema-based security platform, saw over 1 million biometric fingerprints and facial recognition data compromised. The system used by banks and the police highlighted the need for organisations to ensure robust security measures in place, including but not limited to access control procedures and encryption. Organisations should also carry out regular penetration testing to ensure their security controls over the biometric data are up to date and robust.

What should you need to do?

Organisations looking at biometric processing as an option need to consider the following points:

  • Consult your DPO or person responsible for data protection compliance early on so they can support the organisation with the project and ensure it complies with data protection
  • Also, consider, can you achieve the same result through a less intrusive form of processing? Is the processing disproportionate to the purpose? If the answer to either of these questions is yes, it becomes challenging to justify using biometric technology. An example may be the use of biometrics for clocking-in and clocking-out. This can be achieved by using the clock-in/out cards, so the use of biometrics data becomes difficult to
  • If the organisation still considers biometrics a viable option, it is essential to have the correct lawful conditions for processing. This will require an assessment of article 6 and article 9 of the UK GDPR and determining the correct lawful conditions for the processing
  • Given the intrusiveness of processing biometric data, the organisation must conduct a DPIA. This should identify any risk and remedial action to mitigate those risks. This should also consider issues surrounding data minimisation, retention and data security. This would involve undertaking necessary due diligence and risk assessments on suppliers to ensure appropriate technical, contractual, and organisational measures to protect the data. DPIAs and the use of the biometric system generally ought to be revisited
  • Be transparent with your staff by ensuring the staff privacy notice covers this type of processing activity and has been communicated
  • Add the processing to your record of processing
  • Have a plan in place if the data is hacked or suffers a different type of personal data breach. This is unique personal data, and a personal data breach may cause a high risk to individuals; therefore, any personal data breach may well lead to an event that needs to be reported to the ICO and the data subjects. It could cause harm to your staff leading to a breakdown of the employer/employee relationship, and could cause reputational damage. Having a plan in place for the worst-case scenario will help the organisation respond quickly and appropriately should such an event occur.

 

The Author

Loretta Maxfield is a partner and data protection specialist, and Andrew MacQueen a trainee solicitor, with Thorntons Law LLP

Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • People on the move: May 2022
  • Reading for pleasure: May 2022
  • Book reviews: May 2022

Perspectives

  • Opinion: Ian Maxwell
  • President's column May 2022
  • Editorial: Ball in their court
  • Viewpoints: Breaking the bias?
  • Profile: Arlene Gibbs

Features

  • Sector switch
  • Non-doms: some taxing issues
  • Hearings for the child
  • Trees: it's not (all) about the money
  • Feeling lonely? Get in touch
  • Peace dividend: Mediation for insolvency disputes

Briefings

  • Civil court: Suitable representative?
  • Employment: AI – programmed for inequality?
  • Family: Still living together?
  • Pensions: Dashboards – last lap before staging?
  • Property and VAT: The ground shifts again
  • In-house: Beyond the day job

In practice

  • Risk management: Scope is the key
  • WCAC: Seize the moment
  • Arbitration: Delivering together
  • Steps to turning green
  • Ask Ash: Right not to return?
  • No charge for complaint handling

Online exclusive

  • Ramadan: the need for team support
  • ESG: holding businesses to account
  • Litigation funding and the Post Office scandal
  • Possession is not nine tenths of the law
  • Biometrics in the workplace

In this issue

  • Outsourcing your cashroom – business model, not service
  • A new strategic partnership
  • All you need to know about the Recovery Loan Scheme
  • Scottish Solicitors' Discipline Tribunal
  • Why switch to cloud-based practice management software?

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited