Essex School Criticized by Data Watchdog for Implementing Facial Recognition in Canteens
The Information Commissioner’s Office has discovered that a school in Chelmsford failed to properly obtain clear permission to process sensitive data.
Organizations must have a data protection impact assessment (DPIA) in place to lawfully use FRT. This process helps identify and manage risks associated with processing sensitive data, such as students’ biometric information.
The Information Commissioner’s Office (ICO) found that Chelmer Valley High School in Chelmsford violated the law by not completing the assessment before introducing FRT in its canteen in March 2023.
According to the ICO, the school did not appropriately obtain clear permission to process sensitive data, and students were not given the chance to decide if they wanted their data used in this manner.
Lynne Currie, the ICO head of privacy innovation, emphasized that the use of FRT, especially involving children, should not be taken lightly.
“Handling people’s information correctly in a school canteen environment is as crucial as handling the food itself. We expect all organizations to conduct necessary assessments when implementing new technology to mitigate data protection risks and ensure compliance with data protection laws,” stated Ms. Currie.
Consent
Chelmer Valley High School, with around 1,200 students aged 11-18, asked parents to confirm their child’s participation in FRT through letters sent out in March of the previous year.
The ICO mentioned that at that time, affirmative ‘opt-in’ consent was not sought, and the school incorrectly relied on assumed consent until November 2023.
Under the Data Protection Act 2018, failure to opt out does not constitute consent as it lacks a clear affirmative act.
“A DPIA is mandatory by law—it’s not a mere tick-box task. It’s a crucial tool that safeguards users’ rights, ensures accountability, and prompts organizations to consider data protection from the project’s outset,” Ms. Currie explained.
Failing to conduct a DPIA can result in enforcement action and fines up to £8.7 million.
Prior to implementing FRT, the school neglected to consult with its data protection officer, parents, and students.
The regulator also observed that some students were of legal age to provide their own consent and were deprived of this opportunity when parents were given an opt-out choice.
Chelmer Valley High School has accepted the ICO’s suggestions. A spokesperson mentioned that the school took steps last year to ensure proper consent is obtained when students use the cashless canteen.
“This includes allowing students the choice to opt in or out as desired,” added the spokesperson.
The ICO highlighted that it does not intend to discourage other schools from embracing new technologies but emphasized the importance of following the correct procedures.
Concerns regarding FRT use in NAC schools arose in October 2021. The ICO found it improbable that the council had fulfilled requirements for valid consent.
This reprimand followed the ICO informing NAC last year that its use of FRT for canteen payments in nine schools was probable infringement of data protection laws.
The local authority was instructed to explain, in language appropriate for different age groups, how children’s data would be collected, used, stored, and retained.
The company that installed systems at NAC schools, CRB Cunninghams, mentioned that FRT could reduce transaction time at school canteens to five seconds per pupil.