The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has issued a reprimand to a school in Essex in respect of its use of facial recognition technology (FRT) which infringed the UK GDPR.

The data controller, Chelmer Valley High School, are an academy school located in Essex providing education for around 1,200 students ages 11 to 18. The reprimand concerned FRT which processes biometric data to uniquely identify people and is likely to result in high data protection risks. The school had been using fingerprint technology to manage the cashless catering and canteen since 2016 and introduced FRT in March 2023.

The school was reprimanded for failing to:

1. Complete a data protection impact assessment (DPIA) – organisations must carry out a DPIA before you process personal data when the processing is likely to result in a high risk to the rights and freedoms of individuals. Under Article 35(4) of the UK GDPR, the ICO has published a list of processing activities that require a DPIA to be completed prior to the processing. The published list states that the processing of biometric data requires a DPIA where this is combined with any of the criteria from the European guidelines. These guidelines include the processing of data concerning vulnerable data subjects (such as children), and the use of new technological solutions. The school’s DPO has not completed a DPIA prior to the introduction of FRT in March 2023. Instead it was completed in November 2023 after the FRT had already been introduced.
2. Seek valid explicit consent from the students for the processing of biometric personal data – it had been relying on assumed consent for facial recognition, except where parents or carers had opted children out of the processing. Article 4(11) of the UK GDPR is clear that consent requires an affirmative action, and as such consent on an opt-out basis would not have been valid or lawful. Further to this, the majority of students would have been considered sufficiently competent to provide their own consent given Article 8 of the UK GDPR sets the age of which a child can give consent to the processing of personal data at 13 years old. The parental opt-out deprived students of the ability to exercise their rights and freedoms in relation to the processing between March and November 2023. The school has since refreshed consents by obtaining explicit opt-in consent from students.
3. Seek advice from their Data Protection Officer and consulting with parents or students before commencing with the processing. The ICO believed that had the school sought advice from their DPO, many of the compliance issues would have been identified prior to the processing commencing.

The reprimand recommends several further actions the school should take. Although such recommendations are not legally binding directions, it includes: completing a DPIA prior to new processing operations, or upon changes to the nature, scope, context or purposes of processing for activities that pose a high risk to the rights and freedoms of data subjects; amend the current DPIA to give thorough consideration to the necessity and proportionality of cashless catering, and to mitigating specific, additional risks such as bias and discrimination; and amend privacy information given to students so that it provides for their information rights under the UK GDPR in an appropriate way.

This enforcement action exemplifies of the importance of completing a DPIA prior to commencing any processing that is likely to result in a high risk to the rights and freedoms of individuals – it is clear that completing a DPIA as a “tick-box” exercise after commencing the processing will not be enough to comply with data protection laws.

If you would like to keep up to date on the latest in data protection, please get in touch to subscribe to our newsletter, The Data Download.