Support guide

Is biometric clocking in legal in the UK?

Yes — and it is more straightforward than the headlines suggest. The work is in doing it properly: a lawful basis, a clear notice, a DPIA, sensible retention and a real alternative for anyone who objects. Here is the whole picture, in plain English.

Talk to us How we handle GDPR
By the TempClock compliance team Updated ~9 min read

The short answer

Biometric clocking in is legal in the UK. No statute prohibits it. What the law does is set a higher bar for the data involved, because a person's face is special category data under the UK GDPR. Clear that bar and you are on solid ground.

In practice, lawful biometric attendance comes down to six things:

  • A lawful basis for the processing under Article 6.
  • A separate Article 9 condition for the special category data.
  • A clear privacy notice telling workers what you collect and why.
  • A completed data protection impact assessment (DPIA).
  • Proportionate safeguards — minimised data, encryption and retention limits.
  • A genuine non-biometric alternative for anyone who objects.
Not legal advice

This guide reflects the UK GDPR, the Data Protection Act 2018 and published ICO guidance. It is general information to help you ask the right questions — it is not a substitute for your own legal advice or your own DPIA.

Why faces are special category data Art. 9

Article 9 of the UK GDPR singles out a set of especially sensitive personal data — health, ethnicity, religion and so on — and adds biometric data processed to uniquely identify a person. A facial-recognition clock-in does exactly that: it turns a face into a template and uses it to confirm who someone is.

Processing special category data is prohibited by default. It only becomes lawful when you can point to a condition in Article 9 as well as a lawful basis in Article 6. That is the higher bar — and it is the whole reason biometric attendance needs a little more thought than a fob or a spreadsheet.

Common myth

"Biometric data is banned in the workplace, so facial clock-in is illegal."

The reality

It is restricted, not banned. With an Article 9 condition, a DPIA and safeguards, it is lawful.

Choosing a lawful basis Art. 6

Every processing activity needs a lawful basis under Article 6. For workforce attendance, two are usually in the frame. You pick the one that genuinely fits — you cannot swap between them later to suit yourself.

Art. 6(1)(f)

Legitimate interests

Preventing buddy-punching, paying people accurately and keeping an accurate on-site record are legitimate interests. Use this and you must complete a legitimate interests assessment that balances your aim against the worker's rights — and that balance is easier to win when you offer a non-biometric option.

Art. 6(1)(a)

Consent

Consent can be your Article 6 basis, but in an employment relationship the ICO treats it with caution because of the power imbalance. If you rely on consent it must be freely given and as easy to withdraw as to give. See the next section.

Whichever you choose for Article 6, you still need a matching Article 9 condition for the biometric data itself. Explicit consent is the most common condition for workplace biometrics, which is why consent tends to reappear even when legitimate interests is your Article 6 basis.

The DPIA you almost certainly need Art. 35

A data protection impact assessment is mandatory under Article 35 where processing is likely to result in a high risk to people. The ICO lists large-scale use of biometric data among the activities that trigger one — so for facial-recognition attendance, assume you need a DPIA and complete it before you go live.

A good DPIA documents:

  • What you collect, how it is processed, and your lawful basis and Article 9 condition.
  • Whether biometrics are necessary and proportionate, or a lighter option would do.
  • The risks to workers, and the safeguards that reduce each one to an acceptable level.
  • The non-biometric alternative and how someone opts out.

If a residual high risk remains after your safeguards, you must consult the ICO before starting. In most attendance deployments, irreversible templates, UK hosting, a tight retention period and a PIN alternative bring the risk well below that line.

What the ICO actually expects

The Information Commissioner's Office is the UK regulator, and its published guidance on biometric data is the practical yardstick. In 2024 the ICO took enforcement action against an employer that used facial recognition and fingerprint scanning for attendance without offering a less intrusive alternative — the lesson being that necessity and proportionality are not optional.

Read across its guidance and the expectations are consistent:

  • Necessity first. Use biometrics only where a lighter method genuinely will not do.
  • An alternative always. No one should be forced to give biometrics to do their job.
  • Transparency. Tell people clearly what is collected, why, and for how long.
  • Data minimisation. Store a template, not a photo library, and keep nothing extra.

Storage, retention and deletion Art. 5(1)(e)

The storage-limitation principle says you may keep personal data only for as long as you need it. For biometric templates that means a defined retention period, deletion tied to the end of employment, and a separation between the biometric signature and the timesheet record it helped create.

Enrolment

The face becomes an irreversible vector signature. No photograph is retained.

In service

Each clock-in compares live to the stored signature. Only the match score and location are written to the timesheet — not a new image.

Leaver

The biometric signature is deleted on your schedule once the engagement ends — it no longer has a purpose.

Records retained separately

The timesheet and pay record can be kept for the period your payroll and tax duties require — without holding the biometric data any longer.

You must offer an alternative

This is the single point that most often separates a lawful deployment from a risky one. A worker who declines facial recognition must still be able to clock in, be paid correctly and appear on the live register. The alternative does not need to be high-tech — a PIN on the same kiosk is enough.

Offering it does two jobs at once: it respects the worker's choice, and it strengthens your necessity-and-proportionality case, because you can show that biometrics are an option you offer rather than a condition you impose.

Risky

"Face scan or you cannot clock in." No real choice — and consent collapses.

Sound

"Use your face, or a PIN — your choice." A genuine option keeps it proportionate.

How TempClock handles it

TempClock is built so that the compliant way is the default way. Each obligation above maps to something the product already does — so you are deciding how to deploy, not building safeguards from scratch.

Special category data Faces are stored as irreversible vector signatures, never as photographs. A signature cannot be turned back into an image, which minimises what is held.
Liveness & anti-spoofing ISO/IEC 30107-3 presentation-attack detection defeats photo, video and mask spoofs, so a verified clock-in really is the enrolled person.
Data minimisation Each clock-in writes only the match score, time and location to the timesheet — typically a 94% match in under 2s — not a fresh image every shift.
UK data residency All data is held on UK-hosted infrastructure, so there is no international transfer to account for and the data stays within UK GDPR jurisdiction.
A real alternative Every kiosk includes a PIN clock-in. A worker who objects can still clock in, be paid correctly and appear on the live on-site board — no penalty.
Subject access & audit A one-click GDPR SAR export packages everything held on a worker, and every sensitive action is written to an append-only audit log.
Read the full security & GDPR detail → UK-hosted PIN alternative

A compliance checklist

A short list to take into a deployment conversation. Tick all of these and you are in good shape — and you will have the paperwork to show it.

Identify your Article 6 lawful basis and document it.
Identify your Article 9 condition for the biometric data.
Complete a DPIA before go-live, and keep it under review.
Publish a clear, specific privacy notice to workers.
Offer a non-biometric alternative on every kiosk.
Set a retention period and tie deletion to leavers.
Confirm where data is hosted and processed.
Be ready to honour subject-access and erasure requests.

Frequently asked questions

Is biometric clocking in legal in the UK?
Yes. There is no law that bans biometric clock-in. Facial data is special category data under UK GDPR, so it is lawful only when you meet the higher bar that applies to that data: a lawful basis under Article 6, a separate condition under Article 9, a clear privacy notice, a data protection impact assessment, proportionate safeguards and a genuine non-biometric alternative for anyone who objects. Meet those and biometric clock-in is entirely legal.
Can we rely on employee consent for biometric clock-in?
Consent is one route, but the ICO is cautious about it in the employment context because of the power imbalance between employer and worker. Consent must be freely given, specific, informed and as easy to withdraw as to give, and an employee who feels they cannot refuse has not truly consented. Many employers instead rely on a different Article 9 condition and offer a PIN or fob alternative so that using biometrics is never a condition of being paid.
Do we need a DPIA for facial recognition clock-in?
In almost all cases, yes. A data protection impact assessment is mandatory under UK GDPR for processing that is likely to result in a high risk to people, and the ICO lists large-scale processing of biometric data as a trigger. A DPIA documents what you collect, why, the risks, and the safeguards that reduce them. It should be completed before you go live, not afterwards.
Where is the biometric data stored, and is it sent abroad?
With TempClock, all data is held on UK-hosted infrastructure. Faces are converted into irreversible vector signatures rather than stored as photographs, and those signatures cannot be turned back into an image. Keeping processing in the UK removes the need for international transfer safeguards and keeps the data within UK GDPR jurisdiction.
How long can we keep biometric data, and what happens when someone leaves?
You may only keep special category data for as long as you have a clear reason to. Set a retention period in your policy, tie deletion of the biometric signature to the end of employment or engagement, and document it. The underlying timesheet record can be retained for the period your payroll and tax obligations require, separately from the biometric signature itself.
What if a worker refuses to use facial recognition?
They must have a workable alternative. TempClock includes a PIN clock-in on every kiosk, so a worker who objects can still clock in, be paid correctly and appear on the live on-site board. Refusing to use biometrics should never stop someone working or being paid on time, and offering the alternative is part of what makes the whole approach proportionate.
Is this guide legal advice?
No. This is general information to help you ask the right questions. It reflects UK GDPR, the Data Protection Act 2018 and published ICO guidance, but your circumstances are specific to you. For a decision you can rely on, take your own advice and complete your own data protection impact assessment.
RefsSources

Where this comes from

The framework above is drawn from UK law and the regulator's own guidance, not opinion. Read the primary sources, then make your own decision with your own advisers.

  • UK GDPR, Article 9
    Processing of special categories of personal data, including biometric data used for identification.
  • UK GDPR, Article 35
    When a data protection impact assessment is required.
  • Data Protection Act 2018
    How the UK GDPR applies domestically, including conditions for special category data.
  • ICO — biometric data guidance
    The regulator's expectations on necessity, proportionality and alternatives.

Keep reading

Security & GDPR How TempClock encrypts, hosts and audit-seals your data. Facial recognition clock-in The clock-in, geofencing and timesheet features in detail. Industries we serve Recruitment, construction, warehousing, hospitality and more. Simple, transparent pricing One plan, every feature, £150 per site per month.
Compliant by default

Biometric clock-in, done the lawful way

Irreversible signatures, UK hosting, ISO/IEC 30107-3 liveness and a PIN alternative on every kiosk. Tell us how your shifts run and we will show you how it fits.

Talk to us Read our security page
GDPR UK data residency ISO liveness 2FA all portals

UK-hosted · Set up in under an hour · A PIN alternative on every kiosk