Data watchdog reprimands school over facial recognition for canteen payments
23 July 2024, 16:14
The Essex secondary broke the law when it ‘failed’ to take appropriate data protection safeguards, the Information Commissioner’s Office said.
A school has been reprimanded by the data protection regulator after using facial recognition technology (FRT) to take cashless canteen payments from pupils.
The Information Commissioner’s Office (ICO) said Chelmer Valley High School, in Chelmsford, Essex, broke the law when it “failed” to complete a data protection impact assessment (DPIA) before starting to use the technology.
The secondary school, which has around 1,200 pupils aged 11-18, had not properly obtained clear permission to process the children’s biometric data and students were unable to “exercise their rights and freedoms”.
In March last year, the school began using the technology to take cashless canteen payments, before an assessment was made of the risks to the children’s information.
Lynne Currie, head of privacy innovation at the ICO, said: “Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself.
“We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.
“We’ve taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children.
“We don’t want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children’s privacy and safeguarding their rights.”
The reprimand comes after the ICO told North Ayrshire Council last year that its use of FRT to take canteen payments in nine schools was “likely” to have infringed data protection law.
Concerns were raised when FRT was introduced in North Ayrshire schools in 2021 as part of a replacement of its existing cashless catering system.
The data watchdog also found that Chelmer Valley High School failed to seek opinions from its data protection officer, or consult with parents and students, before implementing the technology.
In March last year, a letter was sent to parents with a slip for them to return if they did not want their child to participate in FRT, the ICO said.
Until November last year, the ICO warned that the school had been wrongly relying on “assumed consent” for facial recognition – except where parents or carers had opted children out of the system.
The data protection regulator also noted that most students would have been old enough to provide their own consent, so the parental opt-out deprived students of the ability to exercise their rights.
The reprimand said: “Chelmer Valley High School has therefore failed to complete a DPIA where they were legally required to do so.
“This failing meant that no prior assessment was made of the risks to data subjects, no consideration was given to lawfully managing consent, and students at the school were then left unable to properly exercise their rights and freedoms.”
The school provided a DPIA to the data watchdog in January this year, and it begun obtaining explicit opt-in consent from students in November last year.
Ms Currie added: “A DPIA is required by law – it’s not a tick-box exercise.
“It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project.”
A spokesperson for Chelmer Valley High School said: “We accept the report’s recommendations and took action last year to ensure proper consent is gained when students use the cashless canteen. This includes having the choice to opt in or out as desired.”
