In this Education Law Update, Paul Upson from Napier Solicitors considers a recent reprimand issued by the Information Commissioner to a school in relation to how it implemented facial recognition technology for canteen payments.

Background

Many people regularly pay for goods and services via their smartphones using facial recognition technology. In recent years, the use of biometrics in the education sector has become more common. This initially focused on fingerprint scanning but, over the last while, some schools and colleges have started to use facial recognition technology to enable pupils to make payments, including for food and drinks in school canteens.

Chelmer Valley High School is an English secondary school which caters for around 1,200 students between the ages of 11 to 18.

Cashless catering payments had been in place at the school since 2016. This was initially done through fingerprint technology. Facial recognition technology was introduced in March 2023. The facial recognition technology was provided to the school by a third-party company.

In January 2024, the school’s Data Protection Officer submitted a Data Protection Impact Assessment (DIPA) to the Information Commissioner’s Office for review. This was done because the Data Protection Officer felt that the processing of facial recognition data was high risk.

Even though the facial recognition technology had been in operation since March 2023, the DIPA was only completed in November 2023. This meant that no risk assessment had been carried out prior to the implementation of the facial recognition technology.

In also transpired that from March 2023 to November 2023, the school had been relying on assumed consent for the use of facial recognition. In March 2023, the school had written to parents and guardians with a slip for them to return if they did not want their child to participate in factual recognition technology. The school had used an “out-out” process rather than an “opt-in” process.

What did the Information Commissioner decide?

The reprimand issued to the school by the Information Commissioner can be found here. It set out a series of concerns.

• The Information Commissioner noted that data protection law in the UK requires consent for data processing to be given on an affirmative basis. Therefore, the opt-out consent sought by the school was not valid or lawful
• Given that the facial recognition technology was being used in a secondary school, the majority of students had sufficient competency to provide their own personal consent for data processing. For those pupils, seeking consent from their parent or guardian was insufficient.
• The Information Commissioner noted that the school had failed to seek advice from their Data Protection Officer prior to the introduction of the facial recognition technology; and they did not consult with parents or students before commencing the processing. The Information Commissioner said that, had the school sought advice from their Data Protection Officer in advance, many of the compliance issues would have been identified before the processing commenced.
• The Information Commissioner decided that the school had failed to complete a DPIA at the point in time when they were legally required to do so. A DIPA should be completed in advance where the data processing is going to involve biometric data. Similarly, a DIPA should be completed in advance where the data processing concerns vulnerable data subjects (such as children) or the use of new technological solutions.

What recommendations did the Information Commissioner make?

The Information Commissioner recommended that the school should:

• Complete a DPIA prior to any new processing operations; or upon changes to the nature, scope, context or purposes of processing for activities that pose a high risk to the rights and freedoms of data subjects.
• Amend their existing DPIA to give thorough consideration to the necessity and proportionality of cashless catering, and to mitigating specific, additional risks such as bias and discrimination.
• Review and follow all guidance issued by the Information Commissioner’s Office for schools that are considering using facial recognition for cashless catering.
• Amend the privacy information given to students so that it provides for their information rights under the UK data protection law in an appropriate way.
• Engage more closely and in a timely fashion with their Data Protection Officer when considering new projects or operations which involve processing personal data; and document the advice received and any changes to the processing that are made as a result.

Conclusion

When this reprimand was issued, Lynne Currie (Head of Privacy Innovation at the Information Commissioner’s Office) said:

Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself. We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.

We’ve taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children.

We don’t want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children’s privacy and safeguarding their rights.

It is clear that the Information Commissioner does not want to deter technological advances in the education sector. However, this case illustrates the need for schools and colleges to adequately consider pupils’ privacy rights before they implement technological innovations.

This case also illustrates that when processing biometric data express consent is required and that “opt-out” consent is unlikely to be sufficient. Secondary schools also need to keep in mind that they will likely need to get consent directly from older pupils rather than obtaining it from their parent or guardian.