ICO (UK) - Processing of special category biometric data 04102022
|ICO - Processing of special category biometric data 04102022
|Article 5(1)(a) GDPR
Article 9(1) GDPR
Article 9(2)(b) GDPR
Article 35 GDPR
|National Case Number/Name:
|Processing of special category biometric data 04102022
|European Case Law Identifier:
|ICO (in EN)
The Employer used biometric readers in its venues for the purposes of keeping adequate records of time for its employees. The Employer did not have an appropriate lawful basis and Special Category Data exemption for doing so. The Employer had not conducted a Data Protection Impact Assessment (DPIA). The ICO has issued a reprimand.
English Summary[edit | edit source]
Facts[edit | edit source]
The Employer used biometric readers in its venues for the purposes of keeping adequate records of time for its employees. The Employer had not conducted a Data Protection Impact Assessment (DPIA).
Holding[edit | edit source]
The Employer did not identify an appropriate lawful basis for the processing of special category data (SCD) through its biometric readers in its venues. Article 9(2)(b) does not cover processing purely to meet contractual employment rights or obligations. Article 9(2)(b) was not a legitimate legal basis for the processing. This is an infringement of Article 5(1)(a) as the SCD was not, therefore, processed lawfully.
The Employer should have carried out a Data Protection Impact Assessment (DPIA) in respect of this processing prior to the introduction of the UK GDPR in May 2018.
The ICO issued a reprimand to the Employer.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Details of reprimand To confirm, this reprimand has been issued in respect of the following processing operations that have infringed the UK GDPR: • Article 5(1)(a) of the UK GDPR which states that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency)” In particular, did not identify an appropriate lawful basis for the processing of special category data (SCD). In its response to the ICO, stated that the processing of SCD was covered by Article 9(2)(b) which states that; “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”. ICO guidance states that examples of such processing of SCD under Article 9(2)(b) would include; • checking if individuals are entitled to work in the UK; • ensuring health, safety and welfare of employees; • maintaining records of statutory sick pay and maternity pay; or • deducting trade union subscriptions from payroll. Furthermore, ICO guidance states that the purpose must be to comply with employment law, or social security and social protection law; and that a data controller must be able to identify the specific legal obligation or right in question. The condition does not cover processing purely to meet contractual employment rights or obligations. The data controller must also be able to justify why the processing is necessary, and that it is a reasonable and proportionate way of meeting the specific legal obligation or right. When asked what obligation under employment law made the processing necessary, has stated it is to comply with Section 9 of the Working Time Regulations 1998 (Exhibit 1.3). Specifically, this requires employers to keep adequate records of timekeeping. It is the ICO’s view that has not adequately demonstrated that the processing of biometric data was a necessity and did not provide sufficient justification as to why other less intrusive methods would not fully meet the needs identified. Whilst had stated that alternative methods for meeting the same purpose had been tried, and were found to be less effective, did not sufficiently demonstrate why biometric data was the only effective method of achieving its purpose. Article 9(2)(b) was not a legitimate legal basis for the processing. This is an infringement of Article 5(1)(a) as the SCD was not, therefore, processed lawfully. • Article 9(1) of the UK GDPR which states that “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited”. Article 9(2) then proceeds to state “Paragraph 1 shall not apply if one of the following applies”. Subparagraphs (a) – (j) then list the conditions in which Paragraph 1 does not apply, and are referred to as the lawful bases for processing. As stated above, the lawful basis provided by , Article 9(2)(b), was not valid. This resulted in SCD being processed, despite being prohibited by Article 9(1). This is an infringement of Article (9)(1). • Article 35 of the UK GDPR which states that “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.” has confirmed that the system had been in use since 2014, but that in 2019 it decided to carry out a PIA as part of its data protection compliance processes, and in order to take a “fresh view“ of the system and consider any possible improvements. As a result of this process, identified what it considered to be minor improvements that could be made in order to improve transparency in relation to the use of biometric data. In fact, should have carried out a Data Protection Impact Assessment (DPIA) prior to the introduction of the UK GDPR in May 2018. should have been aware that the introduction of the UK GDPR made biometric processing a class of SCD, which had not been the case before. This means that any previous PIA or risk assessment would no longer be adequate, and a DPIA specific to the UK GDPR requirements was necessary. The responses provided by demonstrate that no DPIA was carried out prior to the introduction of the UK GDPR to assess the risks of the biometric processing. This is an infringement of Article 35.Further Action Recommended The Commissioner is aware that has already suspended processing of biometric processing upon the reopening of its venues, and that its potential future use is currently under review. The ICO now requests that a DPIA be carried out by , if not already done so, before any future biometric processing is considered. Any future biometric processing, for any purpose, should only be undertaken once a clear and valid lawful basis for that processing has been identified under Article 9. Whilst the above measures are suggestions, I would like to point out that if further information, incidents or complaints relating to this matter come to light, we will revisit this matter and formal regulatory action may be considered as a result. Further information about compliance with the data protection legislation which is relevant to this case can be found at the following link: https://ico.org.uk/for-organisations/guide-to-data-protection/ We actively publicise our regulatory activity and outcomes, as this helps us to achieve our strategic aims in upholding information rights in the public interest. We may publish information about cases reported to us, for example where we think there is an opportunity for other organisations to learn or where the case highlights a risk or novel issue. Therefore, we may publish the outcome of this investigation to publicise our regulatory authority and new powers under the UK GDPR. We will publish information in accordance with our Communicating Regulatory and Enforcement Activity Policy, which is available online at the following link: https://ico.org.uk/media/about-the- ico/policiesandprocedures/1890/ico enforcement communications policy.pdf Please let us know if you have any concerns about this. Thank you for your co-operation and assistance during the course of our investigation.