UK school found using facial recognition on children without consent
A school in the UK has been found using facial recognition, to take cashless canteen payments from students without obtaining proper consent. They have been reprimanded by the country's data watchdog. The Information Commissioner's Office (ICO) said that Chelmer Valley High School in Chelmsford, Essex, violated the law by not conducting a data protection impact assessment (DPIA), prior to implementing this technology. The school has approximately 1,200 students aged 11 to 18.
ICO stresses importance of proper data handling
Lynne Currie, head of privacy innovation at the ICO, underscored the importance of correctly handling personal information. She equated it to the handling of food in a school canteen environment. Currie stressed that all organizations should conduct necessary assessments when deploying new technology to mitigate any data protection risks, and ensure compliance with data protection laws. The school began using FRT for cashless canteen payments in March last year without assessing these risks to children's information.
School's assumed consent approach criticized
In March last year, Chelmer Valley High School sent a letter to parents with a slip for them to return, if they did not want their child participating in FRT. However, until November, the school had been wrongly relying on "assumed consent" for facial recognition unless parents or carers opted children out of the system. The ICO noted that this approach deprived students of their rights as most were old enough to provide their own consent.
School takes steps to rectify consent issues
The school offered a DPIA to ICO in January this year, and began obtaining explicit opt-in consent from students, in November last year. Currie emphasized that a DPIA is not a "tick-box exercise" but a crucial tool that protects users' rights, provides accountability, and encourages organizations to consider data protection at the beginning of a project. A spokesperson for Chelmer Valley High School confirmed they have accepted the report's recommendations.
ICO's previous warning to North Ayrshire Council
The ICO had previously warned North Ayrshire Council about its use of FRT for canteen payments in nine schools, stating it was "likely" infringing data protection law. Chelmer Valley High School was also found to have failed to consult its data protection officer, parents, and students before implementing FRT. This incident underscores the importance of proper consultation and risk assessment when deploying new technology in educational institutions.
