It's worse than that. Here's the actual notice from https://ico.org.uk/action-weve-taken/enforcement/serco-leisure-operating-limited-and-relevant-associated-trusts/
TERMS OF THE ENFORCEMENT NOTICE
By no later than the date three months from the date of the Enforcement Notice Serco shall take the following steps:
1. Cease all processing of biometric data for the purpose of employment attendance checks from all Relevant Facilities (and not implement biometric technology at any further facilities).
2. Destroy all biometric data and all other personal and special category data that Serco is not legally obliged to retain, including any such data stored by, or on behalf of Serco (including instructing SWT Software Limited to delete any such data held on behalf of Serco).
The destroy instruction is very vague. ICO really don't know what Serco is "legally obliged to retain"? Why is any of this illegally grabbed bio data under some unstated retention requirement?