ICO (UK) - Processing of special category biometric data 04102022
From GDPRhub
| ICO - Processing of special category biometric data 04102022 | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 5(1)(a) GDPR Article 9(1) GDPR Article 9(2)(b) GDPR Article 35 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 04.10.2022 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | Processing of special category biometric data 04102022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | At33 |
The Employer used biometric readers in its venues for the purposes of keeping adequate records of time for its employees. The Employer did not have an appropriate lawful basis and Special Category Data exemption for doing so. The Employer had not conducted a Data Protection Impact Assessment (DPIA). The ICO has issued a reprimand.
English Summary
Facts
The Employer used biometric readers in its venues for the purposes of keeping adequate records of time for its employees. The Employer had not conducted a Data Protection Impact Assessment (DPIA).
Holding
The Employer did not identify an appropriate lawful basis for the processing of special category data (SCD) through its biometric readers in its venues. Article 9(2)(b) does not cover processing purely to meet contractual employment rights or obligations. Article 9(2)(b) was not a legitimate legal basis for the processing. This is an infringement of Article 5(1)(a) as the SCD was not, therefore, processed lawfully.
The Employer should have carried out a Data Protection Impact Assessment (DPIA) in respect of this processing prior to the introduction of the UK GDPR in May 2018.
The ICO issued a reprimand to the Employer.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Details of reprimand
To confirm, this reprimand has been issued in respect of the following processing
operations that have infringed the UK GDPR:
• Article 5(1)(a) of the UK GDPR which states that personal data shall be
“processed lawfully, fairly and in a transparent manner in relation to the data
subject (lawfulness, fairness and transparency)”
In particular, did not identify an appropriate lawful basis for the
processing of special category data (SCD).
In its response to the ICO, stated that the processing of SCD was covered
by Article 9(2)(b) which states that;
“processing is necessary for the purposes of carrying out the obligations and
exercising specific rights of the controller or of the data subject in the field of
employment and social security and social protection law in so far as it is
authorised by Union or Member State law or a collective agreement pursuant
to Member State law providing for appropriate safeguards for the fundamental
rights and the interests of the data subject”.
ICO guidance states that examples of such processing of SCD under Article
9(2)(b) would include;
• checking if individuals are entitled to work in the UK;
• ensuring health, safety and welfare of employees;
• maintaining records of statutory sick pay and maternity pay; or
• deducting trade union subscriptions from payroll.
Furthermore, ICO guidance states that the purpose must be to comply with
employment law, or social security and social protection law; and that a data
controller must be able to identify the specific legal obligation or right in question. The condition does not cover processing purely to meet contractual
employment rights or obligations.
The data controller must also be able to justify why the processing is
necessary, and that it is a reasonable and proportionate way of meeting the
specific legal obligation or right.
When asked what obligation under employment law made the processing
necessary, has stated it is to comply with Section 9 of the Working Time
Regulations 1998 (Exhibit 1.3). Specifically, this requires employers to keep
adequate records of timekeeping.
It is the ICO’s view that has not adequately demonstrated that the
processing of biometric data was a necessity and did not provide sufficient
justification as to why other less intrusive methods would not fully meet the
needs identified.
Whilst had stated that alternative methods for meeting the same purpose
had been tried, and were found to be less effective, did not sufficiently
demonstrate why biometric data was the only effective method of achieving
its purpose.
Article 9(2)(b) was not a legitimate legal basis for the processing. This is an
infringement of Article 5(1)(a) as the SCD was not, therefore, processed
lawfully.
• Article 9(1) of the UK GDPR which states that “processing of personal data
revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, or trade-union membership, and the processing of genetic data,
biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person's sex life or sexual
orientation shall be prohibited”.
Article 9(2) then proceeds to state “Paragraph 1 shall not apply if one of the
following applies”. Subparagraphs (a) – (j) then list the conditions in which Paragraph 1 does not
apply, and are referred to as the lawful bases for processing.
As stated above, the lawful basis provided by , Article 9(2)(b), was not
valid. This resulted in SCD being processed, despite being prohibited by Article
9(1). This is an infringement of Article (9)(1).
• Article 35 of the UK GDPR which states that “where a type of processing in
particular using new technologies, and taking into account the nature, scope,
context and purposes of the processing, is likely to result in a high risk to the
rights and freedoms of natural persons, the controller shall, prior to the
processing, carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data. A single assessment
may address a set of similar processing operations that present similar high
risks.”
has confirmed that the system had been in use since 2014, but that in
2019 it decided to carry out a PIA as part of its data protection compliance
processes, and in order to take a “fresh view“ of the system and consider any
possible improvements.
As a result of this process, identified what it considered to be minor
improvements that could be made in order to improve transparency in relation
to the use of biometric data.
In fact, should have carried out a Data Protection Impact Assessment
(DPIA) prior to the introduction of the UK GDPR in May 2018.
should have been aware that the introduction of the UK GDPR made
biometric processing a class of SCD, which had not been the case before. This
means that any previous PIA or risk assessment would no longer be adequate,
and a DPIA specific to the UK GDPR requirements was necessary.
The responses provided by demonstrate that no DPIA was carried out
prior to the introduction of the UK GDPR to assess the risks of the biometric
processing.
This is an infringement of Article 35.Further Action Recommended
The Commissioner is aware that has already suspended processing of
biometric processing upon the reopening of its venues, and that its potential
future use is currently under review.
The ICO now requests that a DPIA be carried out by , if not already done so,
before any future biometric processing is considered.
Any future biometric processing, for any purpose, should only be undertaken
once a clear and valid lawful basis for that processing has been identified under
Article 9.
Whilst the above measures are suggestions, I would like to point out that if
further information, incidents or complaints relating to this matter come to light,
we will revisit this matter and formal regulatory action may be considered as a
result.
Further information about compliance with the data protection legislation which is
relevant to this case can be found at the following link:
https://ico.org.uk/for-organisations/guide-to-data-protection/
We actively publicise our regulatory activity and outcomes, as this helps us to
achieve our strategic aims in upholding information rights in the public interest.
We may publish information about cases reported to us, for example where we
think there is an opportunity for other organisations to learn or where the case
highlights a risk or novel issue.
Therefore, we may publish the outcome of this investigation to publicise our
regulatory authority and new powers under the UK GDPR. We will publish
information in accordance with our Communicating Regulatory and Enforcement
Activity Policy, which is available online at the following link:
https://ico.org.uk/media/about-the-
ico/policiesandprocedures/1890/ico enforcement communications policy.pdf
Please let us know if you have any concerns about this.
Thank you for your co-operation and assistance during the course of our
investigation.
