The Information Commissioner’s Office (ICO) recently published a letter it issued to North Ayrshire Council detailing recommendations for the use of facial recognition technology (FRT) in its schools, This followed concerns raised about the use of FRT in nine Ayrshire schools in October 2021 and a subsequent ICO investigation. Although FRT and similar technologies offer a host of potential benefits in the education sector, they are high risk as they necessarily process special category data of vulnerable individuals (i.e. children).
The Council’s use of FRT in schools
In 2021 the Council introduced the technology to nine schools for the purposes of managing cashless payments for school meals. FRT was used to verify students’ identities as they approached the cash register in the cafeteria. The operator would then take a still image of the student, which would match up to a biometric facial template and deduct money from an online account.
The ICO investigation
The use of FRT led the ICO to undertake an investigation to determine the potential data protection risks. The ICO concluded that, although FRT could be used in schools lawfully, there was a high risk of possible infringement of the UK General Data Protection Regulation (GDPR). In this case, it was considered likely the use of FRT had been used in a way that infringed the GDPR in terms of (i) lawfulness, fairness and transparency, (ii) the right to be informed, (iii) data retention, and (iv) the use of data protection impact assessments.
The ICO recommended three improvements to the Council for its use of FRT to be lawful. These are:
- ensuring there is a valid lawful basis for the processing of children’s data;
- in this case the ICO considered that consent was the appropriate lawful basis for processing children’s special category biometric data for the purpose of cashless catering;
- ensuring that processing is transparent, with a clear explanation in age-appropriate language of how data will be collected, used, stored and retained; and
- ensuring the completion and use of a comprehensive data protection impact assessment that identifies, assesses and mitigates the risks to students’ rights and freedoms.
Whilst the ICO considers that it may be possible to deploy FRT in schools lawfully, the use of FRT is not without risk. FRT is only acceptable where used in a manner that identifies, assesses and mitigates risk and ensures compliance with data protection law. Organisations considering using FRT in schools should therefore carefully consider the ICO’s letter.
If you have any questions about processing children’s data or processing data in schools, please contact a member of our Data Protection team and we will be happy to assist.
This article was co-written by Ussamah Nasar, Trainee Solicitor.