As monitoring technologies become more sophisticated, regulators are increasingly willing to crack down on employers who infringe on employee privacy. The UK Information Commissioner’s Office (ICO) has made clear that workplace surveillance must be necessary, proportionate, transparent, and grounded in a lawful basis. Fall short, and the consequences can be serious — ranging from regulatory intervention to significant financial and reputational damage.
Serco Leisure: A warning for employers
A recent and highly publicised example of overreach is Serco’s use of facial recognition and fingerprint scanning to monitor staff attendance. The company deployed biometric tools across several sites without carrying out a proper Data Protection Impact Assessment (DPIA) and without considering less intrusive alternatives, such as ID cards.
The ICO found multiple breaches, including:
- use of intrusive biometric data without adequate justification
- failure to show the monitoring was necessary or proportionate
- insufficient assessment of risks to employees’ privacy
- lack of appropriate transparency and safeguards.
As a result, the ICO gave Serco Leisure 3 months to comply with their order to stop using the technology and delete most of the biometric data or face potential fines of up to £17.5 million or 4% of global turnover. The case demonstrates the high regulatory bar for using biometric monitoring and the importance of completing a DPIA before implementation.
Employee-led challenges regarding monitoring abuse
Employees can take action and report a business if they think monitoring is being mishandled. Workers may:
- file complaints with the ICO
- seek court orders requiring compliance with data protection laws
- claim compensation where unlawful monitoring has caused financial loss or distress.
Failure to provide clear privacy information – a common pitfall – can itself trigger a complaint or investigation.
The risk of unlawful covert monitoring
The ICO treats covert surveillance as a last resort, only lawful in exceptional circumstances, typically involving suspected criminal activity. Even then, it must be tightly targeted and time limited. Employers who use covert monitoring without exhausting less intrusive options risk serious regulatory consequences.
A compliance culture is essential
The message from recent enforcement activity is clear: monitoring must be proportionate, well-justified, and grounded in a strong governance framework. Employers who embed DPIAs, transparency, and documented decision making into their processes significantly reduce the risk of sanctions – and help maintain trust with their workforce.
Further reading
- ICO orders Serco Leisure to stop using facial recognition technology to monitor attendance of leisure centre employees | ICO
- GDPR rules for monitoring employees – Hunter Law
- The UK GDPR and the Data Protection Act 2018
- Being monitored at work: workers’ rights: Overview – GOV.UK
If you enjoyed this blog then perhaps you’d like to sign up to our monthly newsletter. We’ll keep you updated on what’s new in employment law.
The team at Hunter Law is here for you. We can handle your HR issues, finesse your policies, and keep you up-to-date on evolving legislation. Please get in touch with our legal team, we’d love to help.
