UK school reprimanded by ICO for using facial recognition without DPIA

A school in Chelmsford, Essex, has been reprimanded by the Information Commissioner’s Office (ICO) for the unlawful implementation of facial recognition technology (FRT) in its canteen.

Chelmer Valley High School, which serves 1,200 students aged 11-18, began using FRT in March 2023 to facilitate cashless payments. However, the use of FRT, which processes biometric data for individual identification, carries data protection risks, and is regulated by the ICO. Organizations deploying such technology are required by law to conduct a data protection impact assessment (DPIA) to manage these risks.

Chelmer Valley High School failed to perform a DPIA before implementing FRT, neglecting to assess the potential risks to students’ information, the ICO says. Additionally, the ICO reports that the school did not secure clear permission to process students’ biometric data, nor did it offer students the choice to opt-in to the system.

Lynne Currie, ICO head of privacy innovation, emphasizes the importance of proper data handling in school environments. “Handling people’s information correctly in a school canteen environment is as important as handling the food itself,” she says.

“We expect all organizations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.”

Currie stresses that the ICO’s action against Chelmer Valley High School underscores the gravity of introducing measures like FRT, particularly involving children.

In March 2023, a letter was sent to parents allowing them to opt-out their children from FRT, but the affirmative opt-in consent the law requires was not sought. This oversight continued until November 2023, during which the school relied on assumed consent. The law requires explicit permission, and most students were capable of providing their own consent, which the school did not seek, thus infringing on their rights.

Currie adds: “A DPIA is required by law – it’s not a tick-box exercise. It’s a vital tool that protects the rights of users, provides accountability, and encourages organizations to think about data protection at the start of a project.”

The ICO made five recommendations to the school for how it can ensure compliance with UK GDPR.

Similarly, In October 2021, over 2,000 students across nine schools in Scotland began using facial recognition to pay for their lunches. The system required students to present themselves in front of a camera at the till, where staff operated the technology. The camera matched each student to their registered photo, automatically deducting the day’s meal cost from their account. The ICO informed North Ayrshire Council (NAC) that its use of facial recognition for lunch payments is likely to have infringed data protection law under the following articles of the UK GDPR.

The ICO has been getting steadily busier, despite not taking over the regulation of biometrics as planned, due to the failure of the DPDI Bill. The agency’s total spending for the 2023/24 fiscal year was £11.6 million higher than the previous fiscal year, according to PublicTechnology. The ICO spent 15.3 percent more than the year before, some of it targeted to digital, data and technology work, but largely attributed to increased staffing costs.

Article Topics

biometric payments  |  biometrics  |  children  |  data protection  |  facial recognition  |  Information Commissioner’s Office (ICO)  |  schools  |  UK  |  UK GDPR