The recent Information Commissioner’s Office (ICO) reprimand to an Essex school relating to its implementation of facial recognition technology has brought the practice into sharp focus.
Edtech is big business and the use of biometric data in schools is increasing with systems now available for tracking pupil attendance, library use and cashless catering. Such systems once relied on fingerprints, but facial recognition is increasingly becoming the identification technology of choice.
Like any use of personal data, there’s a web of legal and ethical issues to comply with and it’s vital that schools are aware of the issues to manage before they get started.
Involve your data protection officer in procurement decisions
This is a good measure of your data protection compliance culture: if you are procuring a system that will process personal data – that of children, staff or parents – then it’s important your data protection officer (DPO) is involved from the outset.
Your DPO leads on data protection compliance and, perhaps with the support of your legal adviser, is best placed to advise on the risks and compliance issues associated with the proposed system.
They can bring a focus on the privacy issues, the extent of the data processing, the risks associated with it and how to mitigate those risks. Getting your DPO involved early can also help to frame your approach to the market, ensuring potential providers are setting out how they will comply with their data protection obligations and how they can help you comply with yours.
We often see privacy and processing issues being more of an afterthought, with the DPO being asked close to implementation – if at all – whether they have any concerns. By this time, contracts are signed, timelines agreed and money paid, and the DPO can be under pressure not to delay the project.
Importantly, getting the DPO involved early can ensure engagement from the provider to support with the completion of a Data Protection Impact Assessment (DPIA).
Such synergy depends on the DPO having the correct standing within the school so that the role is taken seriously among senior leaders. This will ensure a culture of data compliance throughout.
Complete your Data Protection Impact Assessment
Think of a Data Protection Impact Assessment (DPIA) like a health and safety risk assessment for how you process personal data. It is designed to help you recognise and manage risk, and ensure the processing you intend to carry out is done so legally.
A DPIA involves identifying the potential risks to individuals’ personal data, evaluating the necessity and proportionality of the processing activities, and implementing appropriate measures to address those risks.
The UK’s General Data Protection Regulation (GDPR) requires organisations to conduct a DPIA for processing activities that are likely to result in a high risk to individuals’ data protection rights and freedoms. Using facial recognition technology to uniquely identify people meets this definition. Therefore, it is a legal requirement to carry out a DPIA before implementing such technology.
Your DPO should be involved in the completion of the DPIA, but it is not a solo task – you’ll need input from your provider, IT lead and others; it’s a team game.
A good starting point is the ICO’s DPIA template, which sets out seven steps to undertake. It is also worth engaging with data protection lawyers to ensure your DPIA is robust and has measures in place to effectively manages the risks.
Get the right consent
As you might expect, a higher level of consent is required for the use of biometric data, especially where we are talking about children’s biometric data.
You must notify each child’s parent, carer or legal guardian of your intention to process the child’s biometric data and tell them they can object at any time to the processing of that data. To lawfully process a child’s biometric data, you need the consent of at least one parent, and no withdrawal of consent or other objection to the data being processed by any other parent.
Finally, if the pupil objects to the use of their biometric data, it cannot be used.
So schools must ensure they are getting the right consents in the right way. The Department for Education has produced a useful guide on the use of biometric data in schools.
Embracing innovation responsibly
Technology can be a huge force for good but as with most things, it comes with risks too.
Schools can – and should – embrace technology that improves the quality of education, drives high standards of safeguarding, and helps them be more efficient.
When doing so, just make sure you have an eye on the privacy and data processing issues, and manage them sensibly and proactively.
Your thoughts