Organisations should take note of recent enforcement action brought by the Information Commissioner's Office (ICO) against a school for its inappropriate use of facial recognition technology (FRT). Chelmer Valley High School in Essex has been reprimanded by the ICO for breaching UK data protection laws by failing to evaluate the impact of using FRT for cashless catering. The system in question processed biometric personal data to authenticate their students' identities through facial feature analysis. Prior to this, fingerprint recognition technology had been in use by the school since 2016.
What went wrong?
The school began processing biometric personal data in March 2023, without having undertaken a Data Protection Impact Assessment (DPIA). The UK General Data Protection Regulation, however, requires that a DPIA be carried out for certain processing activities, such as when the processing of data concerns vulnerable data subjects (e.g., children), and the use of new technological solutions (such as FRT).
Except where parents had opted their children out of the processing, the school relied on assumed consent for the use of facial recognition from March to November 2023. However, for consent to be valid, an affirmative action is needed. For that reason, consent based on an opt-out was insufficient. In addition, a parental opt-out denied the students, aged between 11 and 18, of their ability to exercise their rights in relation to their own personal data. In the circumstances, the vast majority of the students would have been competent enough to provide consent themselves. Finally, the school did not consult their Data Protection Officer (DPO) which they were required to so, nor parents or students, when introducing the technology.
As such, the school failed to: (i) complete a mandatory DPIA, and (ii) properly consider and manage consent meaning that students were unable to exercise their rights.
Key considerations before deploying new processing technology
The school took remedial steps which included the completion of a DPIA in November 2023, and obtained explicit opt-in consent from students. This was welcomed by the ICO, but a reprimand was still issued due to earlier non-compliance.
The ICO proceeded to issue several recommendations to help the school with its future compliance with UK data protection law. These recommendations are set out below for you to consider before deploying processing technology, such as FRT, within your organisation:
- Complete a DPIA prior to new processing operations or on changes to the nature, scope, content or purposes of processing. Types of processing that require a DPIA can be found here and here. Examples include:
- Profiling of individuals on a large scale e.g., a new patient data management system in a hospital;
- Monitoring of public areas e.g., installing CCTV in public areas; and
- Data matching e.g., combining customer databases from multiple sources.
- Amend the DPIA to consider the necessity and proportionality of new processing operations:
Like FRT as a way to manage students' lunch payments, and whether there are less intrusive alternatives to mitigate specific risks.
- Have the ICO guidance to hand: if the school had done so, they would have seen the ICO's Case study: North Ayrshire Council schools - use of facial recognition technology
- Amend privacy information: in the school's case, by creating a children friendly privacy notice.
- Engage with your DPO: when considering new processing operations and document their advice and resultant actions or changes made.
The reprimand follows a decision made earlier this year by the ICO when it ordered Serco Leisure, Serco Jersey and associated community leisure trusts to stop using FRT to monitor the attendance of leisure centre employees. The risk of enforcement action is, therefore, high.
Should you have any queries in relation to your compliance obligations when considering new technologies involving processing of personal data within your organisation, and/or more generally wish to discuss your compliance with data protection laws, please do not hesitate to contact David Gourlay, Partner, in the Commercial team at Morton Fraser MacRoberts LLP.