ICO looking into schools' use of facial recognition to take lunch payments
The Information Commissioner's Office announced on 18 October that it would be in contact with North Ayrshire Council after it was reported that nine North Ayrshire schools had introduced facial recognition technology to allow pupils to pay for their school lunches. The proposed use of facial recognition technology would involve the processing of biometric personal data, which should be treated as a special category of personal data under the UK GDPR where it is used to uniquely identify a data subject.
Although the schools in question were in Scotland, if schools in England and Wales proposed to use biometric data in such a way, not only would the usual UK data protection law requirements apply, but the Protection of Freedoms Act 2012 ("POFA") would also be engaged. Taken together, UK data protection law and POFA requirements mean that:
- Each parent would need prior notification of the intention to process biometric information and of their right to object at any time.
- The education authority must ensure that at least one parent of each child has consented and that no parent has withdrawn their consent or otherwise objected (with a handful of mainly safeguarding-related exemptions).
- The education authority must comply with any child's objection or refusal to participate, irrespective of any parental consent.
- The education authority must ensure that reasonable alternative means of taking lunch payments are available.
- The processing must covered by one of the Article 9 UK GDPR exemptions (namely explicit consent) and children should also be notified in an age appropriate notice.
- The biometric and other personal data must be processed securely and subject to the terms of an appropriate DPA with the service provider.
- The education authority should carry out a data protection impact assessment and consider whether there are less intrusive means to achieve the same ends.
The education authority in question here said that 97 per cent of children or their parents had given consent for the new system, stating that the new system helped to avoid PIN errors and PIN fraud. However, the ICO's initial response in the press urged that a "less intrusive" approach should be taken where possible.
The ICO has also expressed deep concerns about live facial recognition in public places ("LFR") (see the Commissioner's Opinion and summary from June 2021). This type of project is less problematic than LFR, in that proper prior notice can be given and consent can be sought in advance, compared to recognising anyone who walks past a camera. However, the use of children's data means that special protections are required and will set a very high bar for demonstrating that any proposed biometric processing is necessary, proportionate and sufficiently transparent.