UK School Faces Backlash for Unlawful Use of Facial Recognition Technology in Classrooms

An English school has received a formal reprimand from the U.K.’s data protection regulator after implementing facial recognition technology without obtaining clear opt-in consent from students for processing their facial scans. This incident reignites the crucial privacy conversation surrounding biometric data, particularly in educational environments involving children. Last year, New York became the first U.S. state to prohibit facial recognition in schools, prompted by increasing marketing efforts from AI companies touting enhanced security solutions for educational institutions.

While fingerprint technology has been a part of U.K. schools for years for student identification and authentication, the adoption of facial recognition has surged, especially fueled by the demand for contactless payment solutions during the pandemic. Several schools have already been employing facial recognition software to streamline food payment processes for at least four years. This trend caught the attention of the U.K.’s Information Commissioner’s Office (ICO) after numerous Scottish schools began using the technology in 2021.

Fast forward to today, and the ICO is compelled to intervene once more. Chelmer Valley High School in Chelmsford, Essex, began utilizing facial recognition technology for cashless lunch payments in March 2023, having previously relied on fingerprinting since 2016. This facial recognition system was supplied by CRB Cunninghams.

Though schools can implement facial recognition technology, they are required to conduct a Data Protection Impact Assessment (DPIA) beforehand. The ICO has pointed out that Chelmer Valley High School did not complete this assessment prior to adopting biometric technology, only submitting a DPIA in January this year—nearly a year after the system's rollout.

Furthermore, the ICO stated that the school failed to secure “clear permission” for processing the students’ facial scans. Although the school informed parents about the technology via a letter, it was framed as an opt-out system: students would automatically be included unless their parents returned a specific form indicating otherwise. This approach contradicts Article 4(11) of the U.K. GDPR, which mandates “clear affirmative action” for valid consent.

“The faceprints obtained by these systems comprise highly sensitive biometric data,” said Mark Johnson, an advocacy manager at the privacy advocacy group Big Brother Watch. “No child should have to undergo such intrusive identity checks just to obtain a school meal. We commend the ICO for its intervention. Instead of viewing children as mere walking barcodes, schools should educate them on safeguarding their personal data while protecting their biometric information.”

Additionally, the U.K. GDPR allows children over 13 years old to provide their own consent regarding data processing, meaning many students at Chelmer Valley High School could not “exercise their rights and freedoms.”

“Properly handling individuals' information in a school canteen is as critical as managing the food itself,” stated Lynne Currie, the ICO’s head of privacy innovation. “We expect all organizations to conduct necessary assessments when deploying new technologies to minimize data protection risks and ensure compliance with applicable laws.”

It’s important to note that the ICO can impose significant fines on organizations that violate data privacy regulations. For example, U.S. AI company Clearview AI was fined $10 million for multiple breaches. However, the ICO is likely to approach this public school differently than a private company, deeming a public reprimand more fitting in this case, especially since it's the school’s first infraction.

“We have acted against this school to emphasize that introducing measures such as facial recognition technology should be treated with seriousness, particularly concerning children,” Currie added. “Our goal is not to dissuade schools from adopting new technologies, but such implementation must prioritize data protection, nurture trust, protect children's privacy, and uphold their rights.”