top of page

Everything about Facial Recognition Technology and how is it relevant in the field of employment?

Facial Recognition Technology or FRT has gained immense relevance in the sector of employment as HR departments are finding it beneficial to manage employees.

Further to this general trend, the COVID-19 pandemic, with the resulting enforced movement to home working for many employers and employees, has prompted employers to consider new ways of monitoring and managing staff, including FRT.

In this article, we look at how FRT works, where we are seeing its use in the employment sphere, and some of the risks and pitfalls when implementing FRT at work.

1. FRT – how it works

Facial recognition is the process of identifying or verifying the identity of a person using their face. FRT captures analyses and compares patterns based on the person's facial details. In simple terms, it works using the application of algorithms as follows:

  • Step 1: detecting and locating a human face or faces in images and videos.

  • Step 2: transformation of analogue information (a face) into a set of digital data based on the person's facial features, which can then be applied.

  • Step 3: verifying whether two images match, based on the digital information collected.

2. How are employers using FRT?

The use of FRT in the workplace has become more widespread over the past few years and is now used in multiple ways in the employment context.

Streamlining Recruitment

FRT-based software can be applied to analyze the facial expressions, vocabulary and tone of voice of candidates and then rank each candidate based on an automatically generated ‘employability’ score. Firms such as Vodafone, Unilever and Intel, as well as the likes of Goldman Sachs and JP Morgan, are all reportedly using this type of software to improve efficiency in recruitment. Unilever is reported to have claimed that its average recruitment time has been cut by 75% as a result of such processes.

Attendance tracking and time-recording

Traditional attendance tracking and clock-in/time recording systems are open to abuse, particularly at sites where lots of people regularly come and go. FRT was adopted early in certain sectors, such as manufacturing and construction, where it can be difficult to monitor accurate on-site attendance and where the practice of workers clocking in for absent colleagues could be an issue. It has also seen growth in other sectors in recent years. The software usually requires the worker to enter a unique pin code and then stand in front of a camera while their identify is verified by FRT.

Monitoring activity and productivity

The use of FRT technology in monitoring employee productivity has accelerated in 2020. As COVID-19 imposed home working arrangements on many businesses, employers have looked for ways to maintain oversight over their workforce remotely.

One increasingly common monitoring solution grants the employer access to an employee’s camera and uses FRT to monitor when the employee is present. We have seen a particular growth in this type of solution during lockdown, perhaps reflective of the common concerns employers cite regarding remote working arrangements. This has been particularly prevalent in the financial services sector where security compliance is a specific concern, but we are increasingly seeing employers in other sectors considering these types of solution.

Compliance & security

FRT is increasingly being applied to restrict access and to check the identity of workers as they enter and exit the workplace, or certain areas of the workplace.

Firms are also increasingly adopting FRT to assist with security and compliance obligations. Unsurprisingly, this is more prevalent in highly regulated areas, such as the financial services sector, where companies are subject to strict compliance obligations.

For example, earlier this year, Pricewaterhouse Coopers (“PwC”) developed an FRT-based tool that would allow clients to track their employees whilst they worked from home. The system reportedly uses employees’ webcams to log absences from their desks and forces them to give a written explanation for time spent away from their computer screens. PwC said in a statement that they are “developing [the] technology specifically to support the compliance environment required for traders and front office staff in financial institutions. Crucially it is designed to support those adhering to the regulations while remote working, in the least intrusive, pragmatic way.”

More recently we have seen companies considering pairing thermal cameras with facial recognition software and personnel directories as part of their COVID-19 health & safety protocols adopted by employers as staff return to the workplace.

3. What about processing this data?

The use of FRT in the employment context involves the processing of an employee’s personal data and therefore the GDPR and the Data Protection Act 2018 apply. Deployment of FRT in the workplace must be necessary and proportionate to the aims the employer is seeking to achieve (e.g. preventing and detecting unlawful acts committed in the workplace). Where such aims can be achieved through less intrusive methods, the deployment of FRT may not be lawful. Any interference with fundamental rights (including the employees’ right to data protection and privacy) must be demonstrably necessary, rather than just convenient, with the standard for this test becoming more stringent as the interference becomes greater.

FRT involves the processing of biometric data

FRT involves the processing of biometric data, irrespective of whether the image yields a match or the biometric data is subsequently deleted in a short space of time. Biometric data used for the purpose of uniquely identifying an individual is a special category of personal data (i.e. sensitive data). Employers must therefore ensure -

  1. That they have a lawful basis for the each of the purposes involving the processing of personal data for the FRT; and

  2. That they also identify a special category condition.

  • The relevant lawful basis and the relevant condition may differ depending on the purposes for which the FRT is deployed. FRT could be used for preventing crime, for authentication, or for other purposes. Each of these applications of the FRT could require different lawful bases and special category conditions.

  • Processing special category data is prohibited unless one of an exhaustive list of conditions applies. The relevant conditions are limited, particularly for employers. Generally, the two conditions relevant to FRT are: (1) explicit consent; and (2) substantial public interest. The former is difficult in the employment context as consent is unlikely to be deemed “freely given”, taking into account the imbalance of power in the employment relationship. Therefore, substantial public interest would be the most viable condition on which employers would seek to rely.

Artificial intelligence (AI)

FRT relies on AI to function and it is therefore important for employers to ensure that the vendor supplying the AI tool has carefully considered their obligations under data protection law. The Information Commissioner’s Office (“ICO”), the UK data protection supervisory authority, has released guidance on AI including draft guidance on the AI auditing framework. Employers should be comfortable with how the technology works and that it will not inadvertently lead to discrimination, which can be even more pronounced in the employment context as discussed below.

Automated decision-making

FRT often involves the use of automated decision-making. Article 22(2) GDPR prohibits automated individual decision-making unless the processing is based on performance of a contract, is authorized by EU or UK law or is based on the individual’s explicit consent (noting that an additional condition must also apply for special category data).

To the extent that the FRT could be used to take decisions with a legal or similarly significant effect on employees, then employers should consider whether the processing can benefit from one of the exceptions in Article 22(2) GDPR (i.e. contractual necessity, legal necessity or explicit consent). Examples of legal effects given in guidance issued by the European Data Protection Board (“EDPB”) include denying someone an employment opportunity or put them at a serious disadvantage – all of which are relevant to the common uses of FRT in the employment sphere.

4. What are the main issues with FRT?