A high school in Chelmsford has been reprimanded by the ICO, for breaking data protection law when it introduced facial recognition technology (FRT) in its canteen. Chelmer Valley High School started using FRT in March 2023 to take cashless canteen payments from students. As FRT processes biometric data to uniquely identify people, it results in high data protection risks. 

As required by UK data protection law (UK GDPR which sits alongside the 2018 Data Protection Act), to use FRT organisations must have a data protection impact assessment (DPIA) in place, to identify and manage the higher risks that may arise from processing sensitive data. 

The ICO found that the school failed to carry out a DPIA before using the FRT, and no prior assessment was made of the risks to the children's information. The school had not properly obtained clear consent to process the students’ biometric information and the students were not allowed to decide whether they did or didn’t want it used in this way. The school also failed to seek opinions from its data protection officer or consult with parents and students before implementing the technology.

A letter was sent to parents with a slip for them to return if they did not want their child to participate in the FRT. Affirmative 'opt-in' consent wasn't sought at this time, meaning the school was wrongly relying on assumed consent. The law does not deem ‘opt-out’ a valid form of consent and requires explicit permission. The ICO also pointed out that most students were old enough to provide their own consent, therefore, parental opt-out deprived students of the ability to exercise their rights and freedoms.

The reprimand comes after another ICO case involving FRT earlier this year, where the regulator ordered Serco Leisure to stop using FRT and fingerprint scanning to monitor the attendance of leisure centre employees. Serco failed to show why it was necessary or proportionate to use FRT and fingerprint when there were less intrusive means available such as ID cards or fobs.

For a no-obligation conversation about data protection and how we might help, contact Prettys’ dedicated Data Protection and Privacy Team on e: dataprotection@prettys.co.uk or call 01473 232121.