Scottish schools’ canteen facial recognition ‘likely infringed’ GDPR: ICO
A letter from the Information Commissioner’s Office (ICO), the UK data protection authority, has told North Ayrshire Council (NAC) that its use of facial recognition for lunch payments in nine schools “is likely to have infringed data protection law under the following Articles of the UK GDPR.”
The 16-page letter (PDF) will likely come as a warning to other schools and councils to think whether it would ever be worth using the face biometrics of children as a way for them to pay for lunch.
In October 2021 more than 2,000 pupils at nine schools in North Ayrshire were enrolled to pay for their lunches by presenting themselves in front of a camera operated by staff at the till. The system, installed by CRB Cunninghams, matched the child against the photos registered, and deducted the day’s spending from their account.
It was short lived: the system also led to controversy over data protection.
The ICO responded rapidly and the council told Biometric Update it deleted all the data immediately in the autumn of 2021. NAC was highly responsive and cooperative throughout, notes the ICO. The resulting investigation and correspondence provide a valuable insight into what an investigation of this kind involves and how organizations such as local councils are ill-prepared for the task of capturing, processing and retaining personal data.
Transparency, consent and DPIAs
The ICO letter lists the articles of UK GDPR that were potentially breached. For the requirement to be ‘Lawful, Fair, and Transparent’ it finds “NAC were unable to demonstrate that there was a valid lawful basis for the processing.” For the ‘Right to be Informed’ the ICO found that while NAC had communicated with children and parents, it had likely not done enough, especially in making the privacy implications clear and understandable to children.
The council keeping personal data “for as long as necessary” and for five years after a child has left the school or by their 23rd birthday (whichever is later) did not wash with the ICO’s reading of UK GDPR article on ‘Retention’ and was perhaps the most baffling part of the whole issue.
For Data Protection Impact Assessment (DPIA), it was incorrect and had not been signed off by the Data Protection Officer (DPO) nor a senior member of NAC prior to the start of biometric data processing.
“Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason,” the ICO advised the council. “In particular, you cannot usually swap from consent to a different basis.”
The fact that the project concerned children is significant in all countries of the UK, even if the law differs slightly from Scotland and Northern Ireland to England and Wales.
“Recital 38 of the UK GDPR makes clear that children are to receive specific protection when processing their personal data as ‘they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data,’” states the letter.
Insufficient information was provided to children and parents for them to be able to consent.
Signed by Ken Macdonald, head of ICO Regions, the letter states that this “correspondence and any response received do not prejudice the potential future use of the Commissioner’s enforcement.”
A spokesperson for North Ayrshire Council told Biometric Update in an email: “We welcome the clarity which has now been received from the Information Commissioner’s Office. Following the initial interest of the Commissioner’s Office in October 2021, we immediately ceased use of the facial recognition system and thereafter deleted all biometric data.”