England updates guidance – not legislation – for biometrics use in schools
Just as schools broke up for the summer holidays, the Department for Education released updated guidance for the protection of biometric data in England’s schools. The release follows the recent release of a wide-ranging review of the use of biometrics in the UK which called for new legislation.
First published in 2012 when the Protection of Freedoms Act required schools to obtain written parental consent for storing biometrics, it was next updated in 2018 to extend the use of biometric data to further education colleges (one of the options for students aged 16 to 18). This latest update incorporates changes to the Data Protection Act 2018 and UK GDPR, and provides more detail on schools’ responsibilities as data controllers.
Education is a devolved matter in the UK, and Wales got its homework in a little earlier, publishing on 4 July, and making it look very much like England was loafing. The Welsh version is significantly longer and more detailed in parts. The Welsh guidance received some positive feedback for clarifying a complex and messy area.
In both countries, the document is not about whether schools should use biometrics, but guidance as to how to use the technologies and process the personal data legally, and to consider whether biometrics are proportionate to the task at hand.
The guidance outlines the requirements of the Data Protection Act, UK GDPR and Protections of Freedoms Act 2012 and the principles such as purpose limitation, data minimization, storage limitation and lawfulness.
It explains how biometric data is special category data according to UK GDPR and as such can only be processed when the data processor has identified a lawful basis. It states that schools as data controllers also need to ensure that any processing of biometric data by a third party (and biometric canteen payments generally are via third parties) also complies with the various acts.
Schools must carry out Data Protection Impact Assessments, and there are links to the Information Commissioner’s Office (ICO) for templates, as well as instructions as to when consent from the ICO may be required.
Guidance vs legislation
A few days before Wales released its new guidance, papers released by the Ada Lovelace Institute including the vast Ryder Review, a three-year investigation into biometrics and the law in England and Wales, found that new legislation is needed.
None of those who gave evidence to the review believed that the law was adequate at present.
Recommendation number one from the Ryder Review: “There is an urgent need for a new, technologically neutral, statutory framework. Legislation should set out the process that must be followed, and considerations that must be taken into account, by public and private bodies before biometric technology can be deployed against members of the public.”
A recent review of the use of biometrics in UK schools by Pippa King and Jen Persson found that three-quarters of secondary schools are using fingerprints or other biometrics. The Biometrics and Surveillance Camera Commissioner, Fraser Sampson, wrote in the report’s foreword: “Some – including, surprisingly, the Department for Education – appear to have taken the view that bare compliance with Chapter 2 of the [Protection of Freedoms] Act is all that is required to ensure the lawful, ethical and accountable use of biometric surveillance in schools.”
“There should be no biometric technology in schools. Other methods of student identification should be used under GDPR and Data Protection Act 2018 and is adequate for use in schools. Under GDPR Sweden, France and Bulgaria have banned facial recognition in schools and Poland banned fingerprint readers,” King told Biometric Update in an email.
“Florida banned biometrics in schools in 2014 and a hold on biometric technology had come into force in New York State and Colorado education systems. Schools can operate without using children’s biometric data,” she adds.
“Why is the DfE endorsing the use of biometrics in schools, using children’s most sensitive personal data, when it simply is not warranted?”
This post was updated at 1:44pm Eastern on July 27, 2022 to include comment from Pippa King.