Data watchdog reprimands school over facial recognition for canteen payments

23 July 2024, 16:14

Pupils eating lunch
Avoidant restrictive food intake disorder study. Picture: PA

The Essex secondary broke the law when it ‘failed’ to take appropriate data protection safeguards, the Information Commissioner’s Office said.

A school has been reprimanded by the data protection regulator after using facial recognition technology (FRT) to take cashless canteen payments from pupils.

The Information Commissioner’s Office (ICO) said Chelmer Valley High School, in Chelmsford, Essex, broke the law when it “failed” to complete a data protection impact assessment (DPIA) before starting to use the technology.

The secondary school, which has around 1,200 pupils aged 11-18, had not properly obtained clear permission to process the children’s biometric data and students were unable to “exercise their rights and freedoms”.

In March last year, the school began using the technology to take cashless canteen payments, before an assessment was made of the risks to the children’s information.

Lynne Currie, head of privacy innovation at the ICO, said: “Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself.

“We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.

“We’ve taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children.

“We don’t want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children’s privacy and safeguarding their rights.”

The reprimand comes after the ICO told North Ayrshire Council last year that its use of FRT to take canteen payments in nine schools was “likely” to have infringed data protection law.

Concerns were raised when FRT was introduced in North Ayrshire schools in 2021 as part of a replacement of its existing cashless catering system.

The data watchdog also found that Chelmer Valley High School failed to seek opinions from its data protection officer, or consult with parents and students, before implementing the technology.

In March last year, a letter was sent to parents with a slip for them to return if they did not want their child to participate in FRT, the ICO said.

Until November last year, the ICO warned that the school had been wrongly relying on “assumed consent” for facial recognition – except where parents or carers had opted children out of the system.

The data protection regulator also noted that most students would have been old enough to provide their own consent, so the parental opt-out deprived students of the ability to exercise their rights.

The reprimand said: “Chelmer Valley High School has therefore failed to complete a DPIA where they were legally required to do so.

“This failing meant that no prior assessment was made of the risks to data subjects, no consideration was given to lawfully managing consent, and students at the school were then left unable to properly exercise their rights and freedoms.”

The school provided a DPIA to the data watchdog in January this year, and it begun obtaining explicit opt-in consent from students in November last year.

Ms Currie added: “A DPIA is required by law – it’s not a tick-box exercise.

“It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project.”

A spokesperson for Chelmer Valley High School said: “We accept the report’s recommendations and took action last year to ensure proper consent is gained when students use the cashless canteen. This includes having the choice to opt in or out as desired.”

By Press Association

More Technology News

See more More Technology News

A Google icon on a smartphone

Firms can use AI to help offset Budget tax hikes, says Google UK boss

Icons of social media apps, including Facebook, Instagram, YouTube and WhatsApp, are displayed on a mobile phone screen

Growing social media app vows to shake up ‘toxic’ status quo

Will Guyatt questions who is responsible for the safety of children online

Are Zuckerberg and Musk responsible for looking after my kids online?

Social media apps on a phone

U16s social media ban punishes children for tech firm failures, charities say

Google shown on a smartphone

US Government proposes forcing Google to sell Chrome to break-up tech empire

The logo for Google's Gemini AI assistant

Google’s Gemini AI gets dedicated iPhone app in the UK for the first time

Facebook stock

EU fines Meta £660m for competition rule breaches over Facebook Marketplace

A phone taking a photo of a phone mast

Government pledges more digital inclusion as rural Wales gets phone mast boost

Social media apps displayed on a mobile phone screen

What is Bluesky and why are people leaving X to sign up?

Someone types at a keyboard

Cyber security chief warns Black Friday shoppers to be alert to scams

MPs

Ministers pressed on excluding Chinese firms from UK’s genomics sector

Child with mobile phone stock

Specially designed smartphone for children launches in the UK

Roblox on a laptop

Children’s gaming platform Roblox makes ‘major update’ to parental controls

An offshore wind farm

Government launches competition to find AI solutions to boost UK clean energy

A Google logo on the screen of a mobile phone

Google partnership with Anthropic AI cleared by competition watchdog

Concept images showing the entrance to the Minecraft-themed park

Minecraft to become UK real-life destination in deal with Merlin