FB pixel

UK school reprimanded by ICO for using facial recognition without DPIA

Proper consent also not obtained
Categories Biometrics News  |  Facial Recognition  |  Schools
UK school reprimanded by ICO for using facial recognition without DPIA
 

A school in Chelmsford, Essex, has been reprimanded by the Information Commissioner’s Office (ICO) for the unlawful implementation of facial recognition technology (FRT) in its canteen.

Chelmer Valley High School, which serves 1,200 students aged 11-18, began using FRT in March 2023 to facilitate cashless payments. However, the use of FRT, which processes biometric data for individual identification, carries data protection risks, and is regulated by the ICO. Organizations deploying such technology are required by law to conduct a data protection impact assessment (DPIA) to manage these risks.

Chelmer Valley High School failed to perform a DPIA before implementing FRT, neglecting to assess the potential risks to students’ information, the ICO says. Additionally, the ICO reports that the school did not secure clear permission to process students’ biometric data, nor did it offer students the choice to opt-in to the system.

Lynne Currie, ICO head of privacy innovation, emphasizes the importance of proper data handling in school environments. “Handling people’s information correctly in a school canteen environment is as important as handling the food itself,” she says.

“We expect all organizations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.”

Currie stresses that the ICO’s action against Chelmer Valley High School underscores the gravity of introducing measures like FRT, particularly involving children.

In March 2023, a letter was sent to parents allowing them to opt-out their children from FRT, but the affirmative opt-in consent the law requires was not sought. This oversight continued until November 2023, during which the school relied on assumed consent. The law requires explicit permission, and most students were capable of providing their own consent, which the school did not seek, thus infringing on their rights.

Currie adds: “A DPIA is required by law – it’s not a tick-box exercise. It’s a vital tool that protects the rights of users, provides accountability, and encourages organizations to think about data protection at the start of a project.”

The ICO made five recommendations to the school for how it can ensure compliance with UK GDPR.

Similarly, In October 2021, over 2,000 students across nine schools in Scotland began using facial recognition to pay for their lunches. The system required students to present themselves in front of a camera at the till, where staff operated the technology. The camera matched each student to their registered photo, automatically deducting the day’s meal cost from their account. The ICO informed North Ayrshire Council (NAC) that its use of facial recognition for lunch payments is likely to have infringed data protection law under the following articles of the UK GDPR.

The ICO has been getting steadily busier, despite not taking over the regulation of biometrics as planned, due to the failure of the DPDI Bill. The agency’s total spending for the 2023/24 fiscal year was £11.6 million higher than the previous fiscal year, according to PublicTechnology. The ICO spent 15.3 percent more than the year before, some of it targeted to digital, data and technology work, but largely attributed to increased staffing costs.

Related Posts

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News

 

iProov biometrics and liveness detection to secure workforce IDs on Microsoft Entra

Enterprise workers using Microsoft Entra ID can now use iProov biometrics and liveness detection to log into company systems through…

 

Malaysia’s prime minister loses it with MyDigital ID’s slow progress

Malaysia’s leader has voiced deep frustration with the slow progress in two key national digital initiatives. This week it was…

 

IDVerse acquired by LexisNexis to boost biometric fraud protection

LexisNexis Risk Solutions has struck a deal to acquire IDVerse adding biometric fraud protection to its portfolio of analytics and…

 

Intellicheck to provide identity validation for Accio Data

Intellicheck, Inc. has announced an integration with Accio Data to streamline background screening checks for job applicants. A release from…

 

UK digital age assurance receives support from stakeholders: Reports

UK’s attempts to legalize digital age assurance technology are likely to be successful, according to media reports. In January, the…

 

Ghana unveils biometric border management system, e-gates at main airport

Ghana has upgraded its border management capabilities with the introduction of a biometric-based system to facilitate immigration controls. The launch…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events