The UK’s data regulator has reprimanded a secondary school in Essex for illegally deploying facial-recognition technology to take cashless canteen payments from students.
Under the UK General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO) has the power to serve formal reprimands, as well as fines and other enforcement notices, when organisations break the law.
Due to the high data protection risks associated with processing sensitive biometric data, organisations looking to deploy facial recognition for the processing of children’s information are obliged to carry out data protection impact assessments (DPIAs) to identify and manage risks with the system.
Despite this legal requirement, the ICO found that Chelmer Valley High School in Chelmsford started using the facial-recognition system – supplied by CRB Cunninghams – in March 2023 without ever having completed a DPIA. It said this meant no prior assessment was made of the risks to the 1,200 children’s information attending the school.
“A DPIA is required by law – it’s not a tick-box exercise. It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project,” said Lynne Currie, the ICO’s head of privacy innovation.
“Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself. We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.
“We’ve taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children.”
Currie added that while the ICO does not want to deter schools from embracing new technologies, safeguarding children’s privacy and data rights must remain at the forefront.
The regulator also found that the school did not obtain clear consent to process the students’ biometric information, and failed to consult with either them or their parents before implementing the tech.
According to the reprimand, while a letter was sent to parents in March 2023 with a slip for them to return if they did not want their child to participate, there was also no option to give consent to the scheme, meaning the school was wrongly relying on assumed consent until November 2023.
The ICO added that because most students were old enough to provide their own consent (under UK data protection law, the age of consent for processing a child’s personal data is 13 years old), the “parental opt-out deprived students of the ability to exercise their rights and freedoms”.
The school also failed to consult with its own data protection officer, which the ICO said it believes would have helped clear up any compliance issues prior to the processing commencing.
To remedy the issues, the ICO said that Chelmer Valley must complete a DPIA and integrate the outcomes back into the project plans prior to any new processing, noting the assessment should “give thorough consideration to the necessity and proportionality of cashless catering, and to mitigating specific, additional risks such as bias and discrimination”.
It added that the school has since completed a DPIA for the facial-recognition system in November 2023, which was then submitted to the ICO by its DPO, as well as taken remedial steps to obtain explicit opt-in consent from students old enough to give it.
However, it also noted that the reprimand was not legally binding and that following these recommendations was voluntary for the school.
“If in the future the ICO has grounds to suspect that Chelmer Valley High School is not complying with data protection law, any failure by Chelmer Valley High School to rectify the infringements set out in this reprimand (which could be done by following the commissioner’s recommendations or taking alternative appropriate steps) may be taken into account as an aggravating factor in deciding whether to take enforcement action,” it said.
The regulator previously said in 2021 that schools using facial recognition systems should consider less intrusive ways to let pupils pay for meals, while various campaign groups – including Liberty and Defend Digital Me – have long argued that facial recognition and other biometric identification technologies have no place in schools.
The former biometrics commissioner for England and Wales, Fraser Sampson, also previously said there were obvious risks with using biometric data and technology in school settings, which could lead to surveillance being normalised to children.
Computer Weekly contacted Chelmer Valley, but did not receive a response by time of publication.