Chelmer Valley High School in Chelmsford, Essex, has received a formal reprimand from the U.K.’s Information Commissioner’s Office (ICO) for using facial recognition technology (FRT) without obtaining specific opt-in consent from students.
The school began using FRT for cashless lunch payments in March of 2023, supplied by CRB Cunninghams, but failed to conduct a required Data Protection Impact Assessment (DPIA) beforehand. The DPIA, submitted almost a year later in January of 2024, was supposed to identify and manage the higher risks associated with processing sensitive biometric data.
The ICO’s reprimand highlights an important privacy issue involving biometric data in schools, with debate having intensified after New York became the first U.S. state to ban facial recognition in schools last year. Schools in the U.K. have used fingerprint technology for years, but the COVID-19 pandemic accelerated the adoption of contactless payments, including FRT.
The ICO intervened after several Scottish schools adopted facial recognition technology in 2021, showing a growing trend and concern over the use of such technology in educational settings.
The ICO criticized Chelmer Valley High School for failing to obtain “clear permission” to process students’ facial scans. The school informed parents through a letter that presented the technology as an opt-out program, which contravenes Article 4(11) of the U.K. GDPR. The regulation requires “clear affirmative action” for consent, which was not met as the school assumed consent if parents did not return a form explicitly stating their refusal.
The ICO pointed out that children over 13 can provide their own consent for data processing under U.K. GDPR, but the school’s opt-out approach deprived students of exercising their rights. While the ICO has the power to impose substantial fines for data privacy breaches, it opted for a public reprimand in this case, considering it was the school’s first offense.
Lynne Currie, ICO’s head of privacy innovation, stressed, “We don’t want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children’s privacy and safeguarding their rights.”
Earlier this year, the ICO ordered a government contractor, Serco Group, to halt its use of biometric time and attendance systems for staff in its leisure business. Its latest action further underscores its commitment to enforcement of the UK’s rules around biometric data.
Sources: TechCrunch, ICO
–
July 23, 2024 – by Cass Kennedy
Related News
French Data Protection Authority Opens Investigation Into Worldcoin
Two Steps Forward, One Step Back for Biometrics Accountability – Identity News Digest
Proposed UK Data Protection Amendments Touch On Police Biometrics
Worldcoin Looks to Bolster World ID Security with Facial Recognition
Worldcoin Under Scrutiny in Singapore Over Account Sales and Biometric Data Privacy Concerns- Hong Kong Orders Halt to Worldcoin Operations
Follow Us