We have issued a reprimand to a school that broke the law when it introduced facial recognition technology (FRT).
Chelmer Valley High School, in Chelmsford, Essex, first started using the technology in March 2023 to take cashless canteen payments from students.
FRT processes biometric data to uniquely identify people and is likely to result in high data protection risks. To use it legally and responsibly, organisations must have a data protection impact assessment (DPIA) in place. This is to identify and manage the higher risks that may arise from processing sensitive data.
Chelmer Valley High School, which has around 1,200 pupils aged 11-18, failed to carry out a DPIA before starting to use the FRT. This meant no prior assessment was made of the risks to the children’s information. The school had not properly obtained clear permission to process the students’ biometric information and the students were not given the opportunity to decide whether they did or didn’t want it used in this way.
Lynne Currie, ICO Head of Privacy Innovation, said:
“Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself. We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.
“We’ve taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children.
“We don’t want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children’s privacy and safeguarding their rights.”
Chelmer Valley High School also failed to seek opinions from its data protection officer or consult with parents and students before implementing the technology.
In March 2023, a letter was sent to parents with a slip for them to return if they did not want their child to participate in the FRT. Affirmative ‘opt-in’ consent wasn’t sought at this time, meaning until November 2023 the school was wrongly relying on assumed consent. The law does not deem ‘opt out’ a valid form of consent and requires explicit permission. Our reprimand also notes most students were old enough to provide their own consent. Therefore, parental opt-out deprived students of the ability to exercise their rights and freedoms.
Ms Currie added:
“A DPIA is required by law – it’s not a tick-box exercise. It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project.”
We have provided Chelmer Valley High School with recommendations for the future.
Notes to editors
- FRT was provided by a third party provider which acts as a processor on behalf of the school.
- A DPIA does not eradicate all risk, but goes some way to minimise and determine whether or not the level of risk is acceptable in the circumstances; taking into account the benefits of what you want to achieve.
- Under UK GDPR, failure to carry out a DPIA when required may leave you open to enforcement action, including a fine of up to £8.7 million, or 2% global annual turnover if higher.
- More information on DPIAs and their importance is available on the ICO’s website, as well as detailed guidance about biometric data.
- In 2023 the ICO published a statement and letter to North Ayrshire Council about the use of FRT in schools.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.