The Information Commissioner’s Office (ICO) has issued a reprimand to a school that broke the law when it introduced facial recognition technology.
Chelmer Valley High School, in Chelmsford, Essex, first started using the technology in March 2023 to take cashless canteen payments from students.
The ICO said that facial recognition is likely to result in high data protection risks, and that to use it legally and responsibly, organisations must have a data protection impact assessment (DPIA) in place.
The school, which has around 1,200 pupils aged 11-18, failed to carry out a DPIA before starting to use the technology, had not properly obtained clear permission to process the students’ biometric information and the students were not given the opportunity to decide whether they want it used in this way.
Necessary assessments
Lynne Currie, ICO head of privacy innovation, said: “Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself. We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.
“We’ve taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children.
“We don’t want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children’s privacy and safeguarding their rights.”
Further shortcomings
Chelmer Valley High School also failed to seek opinions from its data protection officer or consult with parents and students before implementing the technology.
In March 2023, a letter was sent to parents with a slip for them to return if they did not want their child to participate, but 'opt in' consent was not sought at this time, meaning until November 2023 the school was wrongly relying on assumed consent. The law does not deem ‘opt out’ a valid form of consent and requires explicit permission.
The ICO’s reprimand also notes most students were old enough to provide their own consent, so parental opt out deprived students of the ability to exercise their rights and freedoms.
Currie added: “A DPIA is required by law – it's not a tick-box exercise. It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project.”
The ICO has provided the school with recommendations for the future.