Ensuring Student Data Safety: Biometric Technology in Schools

December 11, 2024

The annual Information Commissioner’s Office (ICO) conference may not typically draw the attention of schools and academies, but it clearly had them in its sights this year. In his keynote speech in October, Information Commissioner John Edwards made clear his regulatory focus in 2025 is to ensure children’s personal data is protected, particularly concerning AI and biometric processing. Addressing the audience, he stressed the importance of risk assessments to minimize data protection concerns. The following week, Edwards took further action by writing a public letter imploring all organizations to proactively prevent data breaches and respond more effectively when breaches occur.

1. Involve the DPO from the Beginning

With the education sector representing 14 percent of all data breaches reported to the ICO in 2023, schools must prioritize data protection measures. To stay compliant and protect student data, involving the Data Protection Officer (DPO) from the outset of a procurement exercise or change in process is crucial. The DPO can keep a focus on privacy issues, data processing extent, associated risks, and mitigation strategies. Engaging the DPO early can also shape a school’s approach to the market. This ensures that potential providers outline how they will comply with data protection obligations and support the school’s compliance needs. Ignoring privacy and processing issues until after contracts are signed may pressure the DPO to avoid project delays, so it’s vital to position the DPO as an enabler of safe innovation from the beginning.

By bringing the DPO into the process early, schools can better navigate the complexities of implementing biometric processing technologies, such as fingerprint and facial recognition technology (FRT). These technologies, often used for efficient school meal payments, must be scrutinized for privacy implications. The ICO has previously reprimanded schools for using such technology without appropriate consideration of privacy concerns. For example, in January 2023, the ICO issued a public letter to North Ayrshire Council to raise awareness regarding the data protection implications associated with FRT procurement. Schools must be vigilant about involving their DPO at every stage to mitigate risks and avoid regulatory penalties.

2. Prioritize the DPIA

A fundamental component of a DPO’s responsibilities involves engaging with vendors and internal stakeholders, such as the IT lead, to complete a Data Protection Impact Assessment (DPIA). The DPIA functions much like a health and safety risk assessment for the processing of personal data. It involves identifying potential risks to individuals’ personal data, assessing the necessity and proportionality of processing activities, and implementing measures to address these risks. Under the UK’s General Data Protection Regulation (GDPR), conducting a DPIA is a legal requirement for activities likely to result in a high risk to individuals’ data protection rights and freedoms.

Facial recognition technology clearly meets this high-risk definition due to its invasive nature and the sensitivity of the biometric data involved. Any school leader unaware of a DPIA for a project involving FRT must raise this concern immediately. Failure to complete a thorough DPIA could result in severe repercussions from the ICO and compromise the personal data of students. The ICO’s reprimand to a school in Essex in July 2024 for failing to conduct a DPIA before installing a facial recognition system in its canteen underscores the necessity of this assessment. Ensuring this assessment is prioritized can help schools avoid similar issues and safeguard student data effectively.

3. Obtain Consent from Parents

The third component of ensuring student data safety is obtaining parental consent for the use of biometric technologies in schools. Parents need to be fully informed about the ways in which their children’s biometric data will be used, stored, and protected. This includes providing clear, concise information and offering the right to opt-out if they do not consent to the use of such technology. Schools must make significant efforts to educate parents about the benefits and potential risks associated with biometric technologies. Obtaining explicit consent is not just a legal requirement but also a crucial step in building trust and transparency with parents and guardians, ensuring their confidence in the school’s data protection practices.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later