Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

School reprimanded after using facial recognition technology to take canteen payments from pupils

The Essex secondary broke the law when it ‘failed’ to take appropriate data protection safeguards

Eleanor Busby
Tuesday 23 July 2024 16:58 BST
A school began using facial recognition technology to take cashless canteen payments (PA)
A school began using facial recognition technology to take cashless canteen payments (PA) (PA Wire)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A school has been reprimanded by the data protection regulator after using facial recognition technology (FRT) to take cashless canteen payments from pupils.

The Information Commissioner’s Office (ICO) said Chelmer Valley High School, in Chelmsford, Essex, broke the law when it “failed” to complete a data protection impact assessment (DPIA) before starting to use the technology.

The secondary school, which has around 1,200 pupils aged 11-18, had not properly obtained clear permission to process the children’s biometric data and students were unable to “exercise their rights and freedoms”.

In March last year, the school began using the technology to take cashless canteen payments, before an assessment was made of the risks to the children’s information.

Lynne Currie, head of privacy innovation at the ICO, said: “Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself.

“We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.

“We’ve taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children.

“We don’t want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children’s privacy and safeguarding their rights.”

The reprimand comes after the ICO told North Ayrshire Council last year that its use of FRT to take canteen payments in nine schools was “likely” to have infringed data protection law.

Concerns were raised when FRT was introduced in North Ayrshire schools in 2021 as part of a replacement of its existing cashless catering system.

The data watchdog also found that Chelmer Valley High School failed to seek opinions from its data protection officer, or consult with parents and students, before implementing the technology.

In March last year, a letter was sent to parents with a slip for them to return if they did not want their child to participate in FRT, the ICO said.

Until November last year, the ICO warned that the school had been wrongly relying on “assumed consent” for facial recognition – except where parents or carers had opted children out of the system.

The data protection regulator also noted that most students would have been old enough to provide their own consent, so the parental opt-out deprived students of the ability to exercise their rights.

The reprimand said: “Chelmer Valley High School has therefore failed to complete a DPIA where they were legally required to do so.

“This failing meant that no prior assessment was made of the risks to data subjects, no consideration was given to lawfully managing consent, and students at the school were then left unable to properly exercise their rights and freedoms.”

The school provided a DPIA to the data watchdog in January this year, and it begun obtaining explicit opt-in consent from students in November last year.

Ms Currie added: “A DPIA is required by law – it’s not a tick-box exercise.

“It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project.”

A spokesperson for Chelmer Valley High School said: “We accept the report’s recommendations and took action last year to ensure proper consent is gained when students use the cashless canteen. This includes having the choice to opt in or out as desired.”

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in