Biometrics at work: convenience, consent, and where the line is in 2026

12Feb 2026 by Sally Freeman No Comments

Pay rise

A fingerprint scanner at the staff entrance. Face ID to clock in. A palm reader to access a secure room. Biometrics in the workplace used to sound like something from a spy film, but it’s now a genuinely live topic for UK employers and employees alike.

Some organisations are adopting biometric systems because they’re convenient and reduce “buddy punching” (one person clocking in for another). Others want tighter physical security or faster access management. And some are experimenting because the technology has become cheaper and more widely available.

The problem is that biometric data is not just another password. You can change a password. You can replace a swipe card. You can’t replace your face or fingerprints if that data is compromised or misused. That’s why UK data protection law treats biometric data used for identification as special category data, with higher expectations around necessity, fairness, transparency, and safeguards.

This article explains what biometrics are being used for at work, why employers are interested, why employees are often sceptical, and what “legitimate” use looks like in practice.

If you want an evidence-led look at how staff acceptance is shaped (and what drives perceived legitimacy), this source is directly relevant: Biometric access in workplaces

Are companies actually using biometrics?

Yes, but adoption is patchy and tends to cluster in certain settings:

  • Time and attendance: fingerprint or facial checks to clock in and out

  • Physical access control: doors, restricted areas, server rooms, labs

  • Device and system access: biometric login to phones, laptops, or secure apps

  • High-integrity environments: sites where access needs strong assurance, or where card sharing is a recurring risk

That said, the UK regulatory environment has become clearer and, in some cases, tougher on employers using biometrics where it’s not strictly necessary. In 2024, the UK Information Commissioner’s Office (ICO) took enforcement action against Serco Leisure and associated trusts over facial recognition and fingerprint scanning used for staff attendance monitoring, criticising the lack of a genuine alternative and the imbalance of power in the employment context.

That case matters because it signals something many employees already feel: even when a biometric system is presented as “optional”, workplace dynamics can make it feel compulsory.

Why employers like biometrics

From an employer’s perspective, biometrics can look like a tidy solution to messy problems:

1) “It’s faster and more secure”
Biometric verification can be quick. It removes the need to reset passwords, issue cards, or manage PIN codes. The logic is straightforward: “something you are” is harder to lose or share than “something you have”.

2) “It reduces time theft”
Time and attendance biometrics are often sold as an anti-fraud tool. In large workforces where shift start times matter, a system that verifies the person at the scanner is the person on the rota can sound compelling.

3) “It improves compliance and audit trails”
Some sectors like strong access control records. Biometrics may be pitched as a way to prove who accessed what and when.

4) “It’s cheaper in the long run”
Once installed, biometric systems can reduce admin around lost cards and manual corrections.

The catch is that “convenient” is not the same as “necessary”, and “technically possible” is not the same as “lawful and fair”.

Why employees often don’t accept it

Employee resistance tends to be less about being anti-technology and more about trust and proportionality.

1) Power imbalance and real consent
In theory, biometrics might rely on consent. In practice, consent in employment can be questionable because staff may feel they can’t refuse without consequences. UK privacy regulators explicitly warn that consent can be difficult to rely on in employer–employee relationships for this reason.

2) “What else will this be used for?”
A fingerprint scanner for clocking in can feel like the thin end of the wedge. Staff worry about function creep: today it’s attendance, tomorrow it’s productivity scoring or disciplinary triggers.

3) Permanence and breach risk
Biometric data is sensitive partly because it’s effectively permanent. If compromised, the harm can be long-lasting.

4) Fairness and error
Some biometric systems perform better for some groups than others, or produce false rejections that create friction and stigma. Even if the error rate is low, the impact lands on individuals.

5) Workplace culture and perceived surveillance
If the workplace already feels heavily monitored, biometrics can intensify that feeling. UK HR research has repeatedly noted that monitoring technologies can damage trust if introduced without clear justification and safeguards.

Biometrics vs monitoring: the important distinction

Not all biometric use is the same. There’s a meaningful difference between:

  • Access verification: using a biometric check instead of a card to unlock a door

  • Ongoing monitoring: using biometrics as part of attendance enforcement or performance management

Both involve sensitive data, but employees tend to perceive access verification as more legitimate when it’s clearly tied to safety or security, and less legitimate when it’s tied to control and discipline.

That distinction is one reason the Serco enforcement story resonated: it wasn’t about a high-security lab. It was about everyday attendance monitoring where alternatives could exist.

What the law and guidance push employers to do

The ICO’s guidance is clear on two essentials:

  1. Biometric recognition needs a lawful basis, and because it’s special category data, it also needs a specific condition for processing.

  2. A Data Protection Impact Assessment (DPIA) is likely required for biometric identification/verification in many scenarios, because of the heightened risk to individuals.

For employees, you don’t need to memorise the legal tests. But you can use them as a practical checklist for legitimacy:

  • Is there a clear explanation of what the system does, and what it does not do?

  • Is the purpose specific and proportionate (security vs convenience vs control)?

  • Is there a genuine alternative to biometrics that doesn’t disadvantage staff?

  • Is the system the least intrusive way to achieve the goal?

  • What is stored (templates vs images), for how long, and who can access it?

  • What happens if it fails, misidentifies, or wrongly rejects you?

  • What is the process to raise concerns without retaliation?

If those questions are met with vague reassurance rather than concrete answers, that’s usually a sign the organisation hasn’t earned legitimacy yet.

What “good practice” looks like in the real world

A biometric system is far more likely to be accepted when employers treat it as a trust project, not just an IT rollout.

1) Prove necessity, not preference
If the justification is “it’s quicker”, that rarely lands well. If the justification is “we have a defined security risk that other methods haven’t controlled”, acceptance improves.

2) Offer a real alternative
This is a big one. If an employee who opts out is made to queue, sign a separate log, or is treated like a problem, the “choice” is meaningless. The ICO has signalled that lack of a proper alternative is a serious issue.

3) Minimise what you collect and store
Good systems store biometric templates rather than raw images, limit access tightly, and delete data promptly when it’s no longer needed.

4) Be transparent about retention and sharing
Who is the vendor? Where is data stored? Is it processed on-device or in the cloud? These details shape perceived legitimacy.

5) Involve staff early
Consultation matters. Not as a tick-box, but as genuine engagement: what worries people, what alternatives exist, what safeguards will be built, and what governance exists if the tool starts being used for new purposes.

What employees can do if biometric rollout feels wrong

If you’re an employee facing a biometric rollout you’re uncomfortable with, there are sensible steps that don’t require confrontation:

  • Ask for the written privacy information (what data is processed, why, and for how long).

  • Ask whether there is a non-biometric option and how it works in practice.

  • Ask whether a DPIA has been done and what risks were identified (you may not get the full document, but you can ask what mitigations were put in place).

  • Raise concerns collectively where possible — when multiple employees ask the same questions, the employer is more likely to respond seriously.

  • If you have a union or staff forum, use it. If not, use the employer’s data protection contact route.

Your goal is clarity and proportionality: biometrics should not be introduced by stealth or by pressure.

The bottom line

Biometrics in the workplace can be legitimate in the right context, especially where security needs are real and alternatives are weak. But because biometric data is uniquely sensitive — and because employment is a power-imbalanced relationship — organisations need a higher standard of justification and care than they sometimes assume.

Employees tend to accept biometrics when they see three things: genuine necessity, genuine choice, and genuine safeguards. Without those, “convenience” starts to look like surveillance, and trust is lost faster than any access system can save time.

Further reading:

  • ICO guidance on biometric recognition (UK GDPR):

  • ICO guidance on processing biometric data lawfully:

  • ICO examples of high-risk processing and DPIA expectations (includes biometrics):

  • CIPD on employee monitoring and trust considerations:

  • Reuters report on the ICO enforcement action involving workplace biometrics:

Leave a Reply

Your email address will not be published. Required fields are marked *