Essex school reprimanded by ICO for facial recognition in canteen

news / July 26, 2024

The ICO has issued a reprimand in July 2024 to another school that broke the law when it introduced facial recognition technology (FRT).

According to the data watchdog, Chelmer Valley High School in Chelmsford, England, first started using the technology in March 2023 to take cashless canteen payments from around 1,200 pupils. It failed to carry out a risk assessment and the school had also, “assumed consent” and not actively obtained permissions to process the biometric information, only objections where parents or carers had opted children out from the processing. The children were not given the opportunity to decide whether they did or didn’t want to be used in this way.

The school also failed to seek advice from their DPO in relation to the introduction of the facial recognition technology, nor did they consult with parents or students. Both of these suggest data protection is not a whole school approach nor embedded into its thinking on safeguarding. We’ll be looking to see if Ofsted makes any comment in future.

Interesting to note in this ICO ruling, the reference is only to data protection law where the school had been relying on assumed consent for facial recognition. Rightly the ICO points out that, “Article 4(11) of the UK GDPR is clear that consent requires an affirmative action, and as such consent on an opt-out basis would not have been valid or lawful.”

It is missing, however, any mention of the Protection of Freedoms Act 2012, Chapter 2. This school did not only break data protection law, but the law specific to schools and biometric data. In that, if either parent or the child objects, it is the most protective outcome, the ‘no’ that is upheld. Why is this not mentioned, and was this duty met?

The ICO recommendations say that, “while several areas of non-compliance are apparent, the Commissioner has decided to focus on the controller’s actions prior to the processing.” We also wonder therefore, what else is still ‘apparent’ and being left out or not enforced? In particular with the supplier as the data processor.

The questions without answers include:

Why does the enforcement stop only at the school and not against the distributor as data processor, that continues to enable these unlawful introductions? The same company was involved in the similarly reprimanded school-fiasco of North Ayrshire in 2021. Back then it was suggested over 80 schools in England would be using its “fully compliant with GDPR and the Data Protection Act” tech.
How could the school fail to carry out a risk assessment when it is described in the distributors’ Data Processing agreement and dedicated LFR factsheet? Does this suggest it was not understood?
Who manufactures the product? Why and how is anyone offering “free upgrades” from fingerprint to facial recognition technology?
Since the “algorithm grows with the child” and the system is “constantly evolving the algorithm,” is there still a connection with the supplier or manufacturer or the source country of origin once installed, and there additional processing that is not at the request of the school, beyond the role of a processor and into joint-controller?
How is the facial recognition system being trained and enhanced throughout its life-cycle of use?

The distributor also states that, “GDPR gives the right to individuals to access their personal data and supplementary information held about them. Currently this information is not held in a single report. CRB Cunninghams intend to make a tool available which allows all data to be supplied in a single report to help satisfy these requests should they arise. This tool will be issued as a scheduled upgrade but can be made available on request.”

Since there is always a requirement to offer a non-biometric alternative, it can never be *necessary* to use biometrics at all. If data processing cannot meet the test of necessity it is not lawful. We wonder therefore why the UK Data Protection Authority fails to live up to the standards for school children set by its counterparts in Sweden and France where schools were stopped from using facial recognition.

Biometric technology does not belong in schools. We don’t support giving recommendations on how to use it ‘better’.

For background information on biometrics in schools in the UK see:

The State of Biometrics in Schools. (King, P. and Persson, J.) A report about the UK ten years after the introduction of the Protection of Freedoms Act 2012
Key report findings: a summary (2022)
Download our Biometrics in schools briefing April 2023 [link]
House of Lords Library overview (2021) Facial recognition technology in schools [link]
Comment from political debates in 2021/22