Facial Recognition Technology: skip the DPIA and face the consequences

Facial Recognition Technology: skip the DPIA and face the consequences

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has issued a reprimand to a school in Essex in respect of its use of facial recognition technology (FRT) which infringed the UK GDPR.

The data controller, Chelmer Valley High School, are an academy school located in Essex providing education for around 1,200 students ages 11 to 18. The reprimand concerned FRT which processes biometric data to uniquely identify people and is likely to result in high data protection risks. The school had been using fingerprint technology to manage the cashless catering and canteen since 2016 and introduced FRT in March 2023.

The school was reprimanded for failing to:

  1. Complete a data protection impact assessment (DPIA) – organisations must carry out a DPIA before you process personal data when the processing is likely to result in a high risk to the rights and freedoms of individuals. Under Article 35(4) of the UK GDPR, the ICO has published a list of processing activities that require a DPIA to be completed prior to the processing. The published list states that the processing of biometric data requires a DPIA where this is combined with any of the criteria from the European guidelines. These guidelines include the processing of data concerning vulnerable data subjects (such as children), and the use of new technological solutions. The school’s DPO has not completed a DPIA prior to the introduction of FRT in March 2023. Instead it was completed in November 2023 after the FRT had already been introduced.
  2. Seek valid explicit consent from the students for the processing of biometric personal data – it had been relying on assumed consent for facial recognition, except where parents or carers had opted children out of the processing. Article 4(11) of the UK GDPR is clear that consent requires an affirmative action, and as such consent on an opt-out basis would not have been valid or lawful. Further to this, the majority of students would have been considered sufficiently competent to provide their own consent given Article 8 of the UK GDPR sets the age of which a child can give consent to the processing of personal data at 13 years old. The parental opt-out deprived students of the ability to exercise their rights and freedoms in relation to the processing between March and November 2023. The school has since refreshed consents by obtaining explicit opt-in consent from students.
  3. Seek advice from their Data Protection Officer and consulting with parents or students before commencing with the processing. The ICO believed that had the school sought advice from their DPO, many of the compliance issues would have been identified prior to the processing commencing.

The reprimand recommends several further actions the school should take. Although such recommendations are not legally binding directions, it includes: completing a DPIA prior to new processing operations, or upon changes to the nature, scope, context or purposes of processing for activities that pose a high risk to the rights and freedoms of data subjects; amend the current DPIA to give thorough consideration to the necessity and proportionality of cashless catering, and to mitigating specific, additional risks such as bias and discrimination; and amend privacy information given to students so that it provides for their information rights under the UK GDPR in an appropriate way.

This enforcement action exemplifies of the importance of completing a DPIA prior to commencing any processing that is likely to result in a high risk to the rights and freedoms of individuals – it is clear that completing a DPIA as a “tick-box” exercise after commencing the processing will not be enough to comply with data protection laws.

If you would like to keep up to date on the latest in data protection, please get in touch to subscribe to our newsletter, The Data Download.

Recent posts

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
Unable to row the distance: No copyright in a rowing machine as a work of artistic craftsmanship (WaterRower v Liking)
Read more
The wait is over – Sky v SkyKick decision handed down today
Read more
Autumn Budget 2024: Headlines
Read more
The Final Word
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
New reforms but a long wait for change: government publishes Employment Rights Bill draft
Read more
The UK's Data Protection Regulator begins its modernisation plans
Read more
A cautionary tale of lessons learnt in cases involving crypto fraud from D'Aloia v Persons Unknown Category A & Ors [2024]
Read more
‘This is a true story’: A lesson learnt from ‘Baby Reindeer’ for shows dramatising the lives of real people
Read more

More from this author

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
The new UK government announce the Digital Information and Smart Data Bill
Read more
What businesses should consider before implementing monitoring
Read more
'Consent or pay’: the EDPB’s two cents on the right model
Read more
The Government moves to address unlawful immigration exemption under the Data Protection Act 2018
Read more
Byte by Byte: The progress of the UK Data Protection and Digital Information Bill
Read more
The UK Government bridges the gap for UK-US personal data transfers
Read more
The Culture, Media and Sport Committee’s recommendations on monitoring employees
Read more
DATA DEFENCE IN THE METAVERSE: IT'S NOT A GAME
Read more
The Government’s attempts to safeguard the immigration exemption under the Data Protection Act fails in the High Court
Read more
Navigating the grey areas of AI ethics: ICO's updated guidance provides clarity on utilising AI
Read more
EDPB releases lukewarm opinion on the EU-US Data Privacy Framework
Read more
ICO focusses on child protection in latest guidance to the games industry
Read more
Government to replace the UK GDPR
Read more

Share this page