UK school reprimanded for unlawful use of facial recognition technology



An English school has been formally reprimanded by the U.K.’s data protection regulator after it used facial recognition technology without getting specific opt-in consent from students for processing their facial scans.

The news reignites the ongoing privacy debate around the use of biometric data, particularly in school settings where children are involved. New York banned facial recognition in schools last year, becoming the first U.S. state to do so, after AI businesses ramped up their marketing efforts with the promise of making schools more secure.

Fingerprint technology has been used in U.K. schools for years for various identification and authentication purposes, though facial recognition is increasingly being used, too — the trend was accelerated by a pandemic-driven demand for truly contactless payments. Some schools have been using facial recognition software to manage food payments for at least four years, a trend that sparked the U.K.’s Information Commissioner’s Office (ICO) into action after a swathe of schools in Scotland started using the technology in 2021.

Now, some three years later, the ICO has been forced into action again. Chelmer Valley High School, in Chelmsford, Essex, started using facial recognition technology for cashless lunch payments in March 2023, having used fingerprinting since 2016. The facial recognition system was provided by a company called CRB Cunninghams.

While schools are permitted to use facial recognition technology, they must first carry out a data protection impact assessment (DPIA), which, the ICO says, Chelmer Valley High School failed to do before introducing the new biometric technology. The school submitted a DPIA to the ICO in January this year, nearly a year after it introduced facial recognition technology.

On top of that, the ICO says that the school didn’t obtain “clear permission” to process students’ facial scans. The school had sent a letter to parents informing them of its use of the tech, but it was presented as an opt-out program — if students didn’t return a form explicitly stating that they didn’t want to participate, then they would automatically be opted-in to the program. This runs contrary to Article 4(11) of the U.K. GDPR, which stipulates that “clear affirmative action” is required for consent.

Moreover, the U.K. GDPR stipulates that children over the age of 13 can provide consent in terms of how their data is processed, which means that the majority of students at this school were unable to “exercise their rights and freedoms.”

“Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself,” Lynne Currie, the ICO’s head of privacy innovation, said in a statement. “We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.”

It’s worth noting that the ICO has the power to impose substantial fines on any organization that contravenes data privacy regulations — as evidenced when U.S. AI company Clearview AI was hit with a $10 million fine for a string of breaches. However, the ICO is unlikely to treat a public school in the same way as a private company, which is why it has deemed a public reprimand more appropriate in this instance — particularly as it’s the school’s first offense.

“We’ve taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children,” Currie added. “We don’t want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children’s privacy and safeguarding their rights.”

TechCrunch has reached out to Chelmer Valley High School for comment, and will update here when we hear back.




Source