The Information Commissioner’s Office (ICO) in the UK has criticized a secondary school in Essex for unlawfully utilizing facial-recognition technology to handle cashless canteen payments from students.
According to the UK General Data Protection Regulation (GDPR), the ICO has the authority to issue formal reprimands, fines, and other enforcement measures when organizations violate the law. Due to the significant data protection risks involved in processing sensitive biometric data, organizations seeking to implement facial recognition for children’s information must conduct data protection impact assessments (DPIAs) to identify and address risks associated with the system.
Despite this legal requirement, the ICO discovered that Chelmer Valley High School in Chelmsford began using the facial-recognition system provided by CRB Cunninghams in March 2023 without completing a DPIA. This meant that no assessment was made of the risks to the 1,200 students’ information at the school.
The ICO’s head of privacy innovation, Lynne Currie, emphasized the importance of DPIAs in protecting user rights, establishing accountability, and promoting data protection compliance. While the ICO does not want to discourage schools from adopting new technologies, ensuring the privacy and data rights of students must remain a top priority.
The ICO found that the school did not obtain clear consent to process students’ biometric information and failed to consult with students or their parents before implementing the technology. The school also neglected to involve its data protection officer, which could have helped address compliance issues beforehand.
As a remedy, the ICO required Chelmer Valley to conduct a DPIA and incorporate the findings into project plans before any new processing. The school was also instructed to seek explicit opt-in consent from students old enough to provide it.
While the reprimand was not legally binding, the ICO warned that failure to rectify the infringements could result in enforcement action. Additionally, the use of facial recognition technology in schools has been a subject of debate, with concerns raised by various groups about the risks and implications for student privacy and rights.
Efforts to reach Chelmer Valley for comment were unsuccessful at the time of publication.