Using Facial Recognition Technology in Schools
Is it safe to use FRT in schools?
Facial recognition is a technology capable of matching a human face from a digital image against a database of faces. This type of system is typically used to authenticate users through ID verification services, and works by pinpointing and measuring facial features from a given image.
Schools might use FRT for things like contactless payments, keeping track of attendance and minimising crime on the school site.
North Ayrshire Council’s Use of Facial Recognition Technology
In a statement about the use of FRT in nine of North Ayrshire Council’s schools, the ICO said:
“We have issued a letter to North Ayrshire Council (NAC) following their use of Facial Recognition Technology (FRT) to manage ‘cashless catering’ in school canteens.
The story was first brought to us in October 2021 when NAC introduced FRT into nine of its schools. NAC stopped processing shortly after data protection concerns were raised with us.
Although FRT and other new technologies can offer benefits within an education setting, they process special category data and are not without risk.
As the data protection regulator, we want to ensure that educational authorities can access the benefits of new and emerging technologies, whilst also protecting children’s data and safeguarding their rights.
FRT and similar technologies can potentially be used lawfully with appropriate assessment and care.
One of the things that education authorities based in England & Wales must also apply is section 26 of the Protection of Freedoms Act 2012 which has provisions around parental & child consent for the use of biometrics in schools. These provisions do not apply in Scotland or NI.”
The ICO’s full letter addresses the ways that NAC fell short of data protection law and what they can do to rectify this in the future. Read the full letter here.
Adhering to UK GDPR
When handling pupils' personal data it is extremely important that schools are fully compliant with the UK GDPR regulations. If a school is planning on implementing FRT, it is worth weighing up the benefits versus the risks and work involved.
The ICO note in particular the following sections of the regulations:
“Whilst it may be possible to deploy FRT in schools lawfully, in this case we are concerned that the technology had been deployed in a manner that is likely to have infringed data protection law under the following Articles of the UK GDPR:
- Lawful, Fair, and Transparent (Article 5(1)(a), Article 6, Article 9 and Article 12);
- Right to be Informed (Article 13);
- Retention (Article 5(1)(e)); and
- Data Protection Impact Assessment (Article 35).
We recommend improvements that NAC can make in the following areas when considering similar issues in the future:
- Data Minimisation (Article 5 (1)(c)); and
- Data Accuracy (Article 5(1)(d))."
How Can Schools Be Compliant When Using FRT?
There are many benefits to using FRT in a school setting, but this comes with its own risks. When using FRT, and other types of biometric data, schools must ensure they adhere strictly to the UK GDPR regulations.
In the case of North Ayrshire Council, the ICO have pinpointed the areas within the implementation of FRT which require the most improvement. They specifically state to:
1. Ensure that there is a valid lawful basis for processing children’s data. Our view is that Consent was the appropriate lawful basis for processing children’s special category biometric data for the purpose of cashless catering in this case. However, as identified in Appendix 1, the requirements for valid consent were unlikely to have been met in this case.
2. Ensure that the processing is transparent. It is vital that NAC is able to explain in age-appropriate language how children’s data will be collected, used, stored and retained. The risks associated with its use should be clearly set out. We note that NAC has developed and published a children’s privacy notice.
3. Ensure that a comprehensive DPIA that complies with Article 35 requirements has been completed and that the DPIA identifies, assesses and mitigates the risks to pupils’ rights and freedoms. The DPIA should consider the necessity and proportionality of the processing, the potential for ‘function creep’ (ie using personal data for purposes beyond those you originally identified), and ensure that risks of bias and discrimination in the use of FRT are identified, assessed and mitigated. There must be a signed, dated DPIA in advance of the processing commencing. The DPIA process should also document the Data Protection Officer’s (DPO) advice and the controller’s consideration of that advice.