ICO (UK) - Processing of special category biometric data 04102022

From GDPRhub
ICO - Processing of special category biometric data 04102022
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(a) GDPR
Article 9(1) GDPR
Article 9(2)(b) GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 04.10.2022
Fine: n/a
Parties: n/a
National Case Number/Name: Processing of special category biometric data 04102022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: At33

The Employer used biometric readers in its venues for the purposes of keeping adequate records of time for its employees. The Employer did not have an appropriate lawful basis and Special Category Data exemption for doing so. The Employer had not conducted a Data Protection Impact Assessment (DPIA). The ICO has issued a reprimand.

English Summary[edit | edit source]

Facts[edit | edit source]

The Employer used biometric readers in its venues for the purposes of keeping adequate records of time for its employees. The Employer had not conducted a Data Protection Impact Assessment (DPIA).

Holding[edit | edit source]

The Employer did not identify an appropriate lawful basis for the processing of special category data (SCD) through its biometric readers in its venues. Article 9(2)(b) does not cover processing purely to meet contractual employment rights or obligations. Article 9(2)(b) was not a legitimate legal basis for the processing. This is an infringement of Article 5(1)(a) as the SCD was not, therefore, processed lawfully.

The Employer should have carried out a Data Protection Impact Assessment (DPIA) in respect of this processing prior to the introduction of the UK GDPR in May 2018.

The ICO issued a reprimand to the Employer.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Details of reprimand

To confirm, this reprimand has been issued in respect of the following processing
operations that have infringed the UK GDPR:


•  Article 5(1)(a) of the UK GDPR which states that personal data shall be
   “processed lawfully, fairly and in a transparent manner in relation to the data
   subject (lawfulness, fairness and transparency)”


   In particular,     did not identify an appropriate lawful basis for the

   processing of special category data (SCD).

   In its response to the ICO,      stated that the processing of SCD was covered

   by Article 9(2)(b) which states that;


   “processing is necessary for the purposes of carrying out the obligations and
   exercising specific rights of the controller or of the data subject in the field of
   employment and social security and social protection law in so far as it is

   authorised by Union or Member State law or a collective agreement pursuant
   to Member State law providing for appropriate safeguards for the fundamental

   rights and the interests of the data subject”.

   ICO guidance states that examples of such processing of SCD under Article

   9(2)(b) would include;


   • checking if individuals are entitled to work in the UK;

   • ensuring health, safety and welfare of employees;


   • maintaining records of statutory sick pay and maternity pay; or


   • deducting trade union subscriptions from payroll.


   Furthermore, ICO guidance states that the purpose must be to comply with
   employment law, or social security and social protection law; and that a data

   controller must be able to identify the specific legal obligation or right in   question. The condition does not cover processing purely to meet contractual

   employment rights or obligations.

   The data controller must also be able to justify why the processing is

   necessary, and that it is a reasonable and proportionate way of meeting the
   specific legal obligation or right.


   When asked what obligation under employment law made the processing
   necessary,       has stated it is to comply with Section 9 of the Working Time

   Regulations 1998 (Exhibit 1.3). Specifically, this requires employers to keep
   adequate records of timekeeping.


   It is the ICO’s view that      has not adequately demonstrated that the
   processing of biometric data was a necessity and did not provide sufficient

   justification as to why other less intrusive methods would not fully meet the
   needs identified.


   Whilst      had stated that alternative methods for meeting the same purpose
   had been tried, and were found to be less effective,        did not sufficiently

   demonstrate why biometric data was the only effective method of achieving
   its purpose.


   Article 9(2)(b) was not a legitimate legal basis for the processing. This is an
   infringement of Article 5(1)(a) as the SCD was not, therefore, processed

   lawfully.



•  Article 9(1) of the UK GDPR which states that “processing of personal data
   revealing racial or ethnic origin, political opinions, religious or philosophical

   beliefs, or trade-union membership, and the processing of genetic data,
   biometric data for the purpose of uniquely identifying a natural person, data
   concerning health or data concerning a natural person's sex life or sexual

   orientation shall be prohibited”.


   Article 9(2) then proceeds to state “Paragraph 1 shall not apply if one of the
   following applies”.   Subparagraphs (a) – (j) then list the conditions in which Paragraph 1 does not

   apply, and are referred to as the lawful bases for processing.

   As stated above, the lawful basis provided by       , Article 9(2)(b), was not

   valid. This resulted in SCD being processed, despite being prohibited by Article
   9(1). This is an infringement of Article (9)(1).



•  Article 35 of the UK GDPR which states that “where a type of processing in
   particular using new technologies, and taking into account the nature, scope,
   context and purposes of the processing, is likely to result in a high risk to the

   rights and freedoms of natural persons, the controller shall, prior to the
   processing, carry out an assessment of the impact of the envisaged

   processing operations on the protection of personal data. A single assessment
   may address a set of similar processing operations that present similar high
   risks.”


        has confirmed that the system had been in use since 2014, but that in

   2019 it decided to carry out a PIA as part of its data protection compliance
   processes, and in order to take a “fresh view“ of the system and consider any
   possible improvements.


   As a result of this process,     identified what it considered to be minor

   improvements that could be made in order to improve transparency in relation
   to the use of biometric data.


   In fact,     should have carried out a Data Protection Impact Assessment
   (DPIA) prior to the introduction of the UK GDPR in May 2018.


        should have been aware that the introduction of the UK GDPR made
   biometric processing a class of SCD, which had not been the case before. This

   means that any previous PIA or risk assessment would no longer be adequate,
   and a DPIA specific to the UK GDPR requirements was necessary.


   The responses provided by         demonstrate that no DPIA was carried out
   prior to the introduction of the UK GDPR to assess the risks of the biometric

   processing.

   This is an infringement of Article 35.Further Action Recommended


The Commissioner is aware that         has already suspended processing of
biometric processing upon the reopening of its venues, and that its potential
future use is currently under review.


The ICO now requests that a DPIA be carried out by          , if not already done so,
before any future biometric processing is considered.

Any future biometric processing, for any purpose, should only be undertaken

once a clear and valid lawful basis for that processing has been identified under
Article 9.

Whilst the above measures are suggestions, I would like to point out that if
further information, incidents or complaints relating to this matter come to light,

we will revisit this matter and formal regulatory action may be considered as a
result.

Further information about compliance with the data protection legislation which is
relevant to this case can be found at the following link:


https://ico.org.uk/for-organisations/guide-to-data-protection/

We actively publicise our regulatory activity and outcomes, as this helps us to

achieve our strategic aims in upholding information rights in the public interest.
We may publish information about cases reported to us, for example where we
think there is an opportunity for other organisations to learn or where the case
highlights a risk or novel issue.


Therefore, we may publish the outcome of this investigation to publicise our
regulatory authority and new powers under the UK GDPR. We will publish
information in accordance with our Communicating Regulatory and Enforcement
Activity Policy, which is available online at the following link:


https://ico.org.uk/media/about-the-
ico/policiesandprocedures/1890/ico enforcement communications policy.pdf

Please let us know if you have any concerns about this.


Thank you for your co-operation and assistance during the course of our
investigation.