The Information Commissioner’s Office (ICO) has laid out terms for the use of facial recognition technology (FRT) in schools following an enquiry into its use by North Ayrshire Council.
It has published a letter to the council addressing specific concerns about the data protection implications of its deployment, highlighting its view that FRT and similar technologies can potentially be used lawfully but the move needs appropriate assessment and care.
This comes in response to North Ayshire’s introduction of the technology to nine of its schools in 2021 to manage cashless payments for school meals. FRT was used to verify pupils’ identities at the lunch till, with the operator taking a single still image which was matched to a biometric facial template, to deduct money from an online account.
It led to the ICO investigation, which found the deployment took place in a manner likely to have infringed the UK General Data Protection Regulation (GDPR).
The letter includes a number of criticisms, including that the council was not able to show that explicit consent had been obtained from parents for the process, there had not been a genuine choice for individuals, and information on data retention was not sufficiently transparent.
In addition, a data protection impact assessment (DPIA) was carried out but did not appear to contain enough detail on how the operations complied with the principles of data minimisation and data accuracy.
Three improvements
Subsequently, the ICO has highlighted three recommendations to the council. Firstly to ensure there is a valid lawful basis for processing children’s data; and secondly to make sure the processing is transparent, with explanations in age-appropriate language and a setting out of risks.
Thirdly, a comprehensive DPIA that complies with Article 35 of the GDPR should be completed, identifying, assessing and mitigating any risks to pupils’ rights and freedoms. This has to be signed and dated before the processing begins.
The letter notes that North Ayrshire has taken steps to improve its data protection compliance by revising its DPIA template and developing a privacy policy specific to children.
The ICO has also made clear that it wants other local authorities to pay close attention to the findings.
Guidance for others
“We intend to draw out the key learnings from this enquiry and promote them through social media and in a case study within our guidance,” the letter says. “This will benefit other education authorities considering the use of FRT or similar technologies.”
It also emphasised in a statement that education authorities in England and Wales should apply section 26 of the Protection of Freedoms Act, which has provisions around parental and child consent for the use of biometrics in schools.
These provisions do not apply in Scotland or Northern Ireland.
