Facial Recognition in Schools: Please, sir, I want some more.

Yesterday the Financial Times reported that, “nine schools in North Ayrshire will start taking payments for school lunches by scanning the faces of pupils, claiming that the new system speeds up queues and is more Covid-secure than the card payments and fingerprint scanners they used previously.”

For a few years now, schools have used biometrics including automated fingerprint identification systems for registration, library book borrowing and cashless catering. Big Brother Watch reported privacy concerns about this way back in 2014. Now a company, called CRB Cunninghams, has introduced facial recognition technology to allow schools to offer children the ability to collect and pay for lunches without the need for physical contact. In addition to the nine schools in Scotland, four English schools are reported to be introducing the technology. Silkie Carlo, the head of Big Brother Watch, said: 

“It’s normalising biometric identity check for something that is mundane. You don’t need to resort to airport-style [technology] for children getting their lunch.”

The law on the use of such technology is clear. Back in 2012, the Protection of Freedoms Act (POFA) created an explicit legal framework for the use of all biometric technologies (including facial recognition) in schools for the first time. It states that schools (and colleges) must seek the written consent of at least one parent of a child (anyone under the age of 18) before that child’s biometric data can be processed. Even if a parent consents, the child can still object or refuse to participate in the processing of their biometric data. In such a case schools must provide a reasonable alternative means of accessing the service i.e. paying for school meals in the present case. 

POFA only applies to schools and colleges in England and Wales. However, all organisation processing personal data must comply with the UK GDPR. Facial recognition data, being biometric, is classed as Special Category Data and there is a legal prohibition on anyone processing it unless one of the conditions in paragraph 2 of Article 9 are satisfied. Express consent of the Data Subjects (i.e. the children, subject to their capacity) seems to be the only way to justify such processing. 

In 2019 the Swedish Data Protection Authority fined an education authority (SEK 200 000 ,approximately 20 000 Euros) after the latter instructed schools to use facial recognition to track pupil attendance. The schools had sought to base the processing on consent. However, the Swedish DPA considered that consent was not a valid legal basis given the imbalance between the Data Subject and the Data Controller. It ruled that there was a breach of Article 5, by processing students’ personal data in a manner that is more intrusive as regards personal integrity and encompasses more personal data than is necessary for the specified purpose (monitoring of attendance), Article 9 and Articles 35 and 36 by failing to fulfil the requirements for an impact assessment and failing to carry out prior consultation with the Swedish DPA. 

The French regulator (CNIL) has also raised concerns about a facial recognition trial commissioned by the Provence-Alpes-Côte d’Azur Regional Council, and which took place in two schools to control access by pupils and visitors. The CNIL concluded that “free and informed consent of students had not been obtained and the controller had failed to demonstrate that its objectives could not have been achieved by other, less intrusive means.” CNIL also said that facial recognition devices are particularly intrusive and present major risks of harming the privacy and individual freedoms of the persons concerned. They are also likely to create a sense of enhanced surveillance. These risks are increased when facial recognition devices are applied to minors, who are subject to special protection in national and European laws.

Facial recognition has also caused controversy in other parts of the world recently. In India the government has been criticised for its decision to install it in some government-funded schools in Delhi. As more UK schools opt for this technology it will be interesting to see how many objections they receive not just from from parents but also from children. This and other recent privacy related stories highlight the importance of a Data Protection Officer’s role.

BONUS QUESTION: The title of this contains a nod to which classic novel? Answers in the comments section below.

All the recent GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in November.

The school that didn’t learn its lesson.

In 2011 I received a gorgeous CD through the mail from a school. It invited me to send my children (at the time aged 30, 29 and 25) to their school (35 miles away from my house). Read the full story on Act Now website ( a Northern school). I did complain to the ICO but his decision was in favour of the school. This was my conclusion to the affair.

“A school/college with no prior relationship with me buys my name from a list broker as I am apparently rich and with junior age children (wrong on both counts) and then sends me unsolicited marketing material through the post. When I exercise my right to subject access they ignore it for two and a half weeks then fail to give me what I ask for because they don’t know from where they obtained my personal data.

The ICO when asked to look into the case decides the college did nothing wrong.

Moral – keep bad records, mail who you like even those with no relevance to your product, fail to respond to individuals exercising their right to access promptly and you’ll be fine rather than fined. “

I put it down to experience never expecting to hear from the school again but today they emailed me. Despite me reporting them to the ICO and an investigation taking place and their promise to delete my name and address from their database they emailed me with an offer I couldn’t refuse.

I will complain again. This time I have PECR on my side as they have strayed into electronic marketing as well as basic section 11 stuff. The school is also now a serial offender. Will the ICO listen, take action or will I get a similar response 5 months after I complain. See you around Xmas time.

It’s time to name and shame Queen Ethelburgas. Look out for the information notice.

It gets worse.  I chose to report the message as spam as they invited me to. Here’s the screenshot of  their procedure. Only a few errors in spelling and punctuation.


Playground Duty

Teaching? A mugs game. The (mythical) long holidays, the (mythical) 3-30 finish, the (mythical) relaxed and friendly environment as you helped the enthusiastic next generation prepare for adult life…

Playground duty was the bane of my life when I was a teacher. Once a week you had to forgo the 15 minutes of peace in the staff room and that warm cup of coffee and patrol the school playground, breaking up fights, solving Rubik’s cubes and avoid being caught by those awful children’s jokes (If a bottle of medicine cures a cough what does half a bottle of medicine cure?).

So on a recent training session for schools in a northern council we talked to the delegates – mostly Headteachers – about the Publication scheme. We looked at the definition document listing the material the ICO recommended schools to pro-actively publish, we gave them the two common sense Act Now solutions (1. find all the relevant documents and put a paper copy of them in a ring binder in the school office then photocopy on demand or 2. turn them into PDFs and put them on the website so people can download what they want).

After considering all this and thinking for a moment or two one of the delegates (a headteacher no less) said  ” I don’t think we’ll bother with this. It’d take too long.”

What’s the punishment for forgetting to do playground duty?

Opprobium, embarrassment,  ridicule, double duty next week.

What’s the punishment for failing to carry out a duty under section 19 of the Freedom of Information Act for seven and a half years?

Over to you….

(The answer is 50% of a cough. Whatever you do don’t say half a cough).

Marion. The FOI exemption for schools.

We delivered some training today to a school in the north – we have a briefing for schools covering DP & FOI in a half day – and as usual prior to the training we did some research which included making a FOI request to the school. Right at the very end of the afternoon after the case studies and the questions the trainer asked if the school had received any FOI requests in the last 7 years. The head teacher sitting bravely on the front row shook his head. Others chimed in and consensus was milliseconds away when the trainer showed on the screen the screen grab of the request that had been made by email 19 days ago using the school’s contact us page.

Silence and almost simultaneously darkness fell.

‘Looks like a request to me” intoned the trainer, “it’s asked for a biography of the Headteacher and details of his reimbursement package for the last financial year”.

Then Marion the school secretary who’d been sitting at the back spoke. “I might have seen that one” she chirped, ” but I delete anything that looks dodgy”.

“What’s dodgy?” ventured the trainer,

“The name, the email address – I don’t allow hotmail ever”, replied the determined administrator.

The trainer tested out a few requests that he knew had been sent to schools in general – the knife incident request, “deleted that” , The CRB question, “deleted that” and the realisation that Marion had set up a foiwall that had yet to be penetrated settled on the room.

Add in the lack of publication scheme, lack of privacy policy and lack of training and it’s clear there’s a lot of work to do in schools. We have a range of services from an online session to a full day in school with audit, policy work & training. See our website.

Marion is of course a pseudonym. Her real name was Margery.

%d bloggers like this: