Data Protection Law and Using Biometric Data in Schools

The Information Commissioner’s Office recently issued a reprimand to Chelmer Valley High School of Chelmsford, Essex, because it was found to be in breach of Article 35(1) of the UK General Data Protection Regulation (UK GDPR). That article provides that a data controller must, prior to the processing of personal data, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, where this processing is likely to result in a high risk to the rights and freedoms of natural persons. 

Chelmer Valley High School (CVHS) introduced facial recognition technology for the purpose of managing its cashless catering system in March 2023. The Data Protection Officer for the school contacted the Information Commissioner’s Office (ICO) on 29 January 2024 and provided a Data Protection Impact Assessment for the biometric data processing, which had been completed in November 2023. No Data Protection Impact Assessment had been completed prior to November, so CHS had not finalised their Data Protection Impact Assessment ahead of the introduction of the facial recognition technology in March. 

Non-Compliance with UK GDPR

The ICO discovered that from March 2023 until November 2023, CVHS had been relying on assumed consent for the processing of the biometric data, except where parents and/or carers had opted out. This was in non-compliance with Article 4(11) of the UK GDPR, which provides that consent requires affirmative action. Consent on an opt-out basis could not be valid or lawful.  

This is not the first time this has happened in the school context. In January 2023, the ICO advised North Ayrshire Council that the most appropriate legal basis for processing financial recovery technologies for cashless catering would be explicit consent and that they should have undertaken a Data Protection Impact Assessment in advance of processing any personal data. Following this intervention, the North Ayrshire Council advised its school to cease processing financial recovery technologies for the purposes of taking payments from children. 

Impact on students and failure to seek proper consent

The ICO also found that the majority of students at CVHS would have been considered sufficiently competent to provide their own consent, and the parental opt-out utilised by the school deprived students of their ability to exercise their rights and freedoms in relation to data processing between March and November 2023. In addition, it was noted by the ICO that the school had failed to take advice from their Data Protection Officer prior to the introduction of the technology nor sought any consent from parents or students before commencing with the biometric data processing. 

Requirements for Data Protection Impact Assessments prior to processing

As required by Article 35(4) of the UK GDPR, the ICO has published a list of processing activities that require a Data Protection Impact Assessment to be completed prior to the processing of personal data. This list includes biometric data where it is combined with the processing of data concerning vulnerable data subjects such as children. As a result, CVHS failed to comply with the law as it did not complete a Data Protection Impact Assessment prior to the processing of biometric data.

The ICO's reprimand and recommendations 

The ICO issued a reprimand based on its current approach to dealing with data protection breaches by those in the public sector. Such approach is to make recommendations to public bodies rather than make fines. 

Processing Biometric Data – the importance of explicit consent for schools

It is important that users of biometric data systems understand the data protection principles which are applicable to their particular systems. The taking of a picture and it being converted into an identifier retained on a database amounts to the processing of personal data, even where a facial image or fingerprint is then deleted. The identifier is information which could indirectly identify someone when combined with other information and is, therefore, personal data for the purposes of the UK GDPR. I would strongly recommend that schools engage a Data Protection Officer before introducing any biometric data processing and carefully consider the wording of any consent and privacy notice to ensure that the risk of any future regulatory action by the ICO is minimised.