Can organisations implement Facial Recognition Technology in a way that is compliant with the UK GDPR?

Gemma Duxbury
Gemma Duxbury

Published: April 25th, 2023

7 min read

In a statement published 31 January 2023, the ICO confirmed its view that North Ayrshire Council's (NAC) use of Facial Recognition Technology (FRT) for cashless catering purposes in canteens at nine of its schools is likely to have infringed articles of the UK General Data Protection Regulations (UK GDPR). The new system, which has proved controversial, was implemented with the intention of speeding up queues at lunch time and was suggested to be a more Covid-secure solution than card payments or fingerprint scanners.

In this article we explore the circumstances that gave rise to investigation by ICO and the issues FRT pose as a result of domestic data protection legislation in England and Wales.

Investigation by the ICO

An enquiry by the ICO was undertaken after privacy campaigners raised concerns over NAC's use of FRT for some of its pupils. Somewhat significantly, the ICO concluded that whilst it may be possible to deploy FRT in schools lawfully, in this case, NAC did not.

More specifically, the ICO were concerned that the technology had been deployed in a manner that is likely to have infringed various data protection laws including Article 5(1)(a) of the UK GDPR relating to personal data being processed lawfully, fairly and in a transparent manner. Individuals have the right to be informed about the collection and use of their personal data; this is a key transparency requirement under the UK GDPR as set out under Article 5(1)(a) and in Articles 12 and 13. The ICO commented that NAC took steps to alert children and parents to the processing of their biometric data via a number of channels including emails, social media, and FAQs. Whilst the ICO described this as "positive", its view was that the NAC was ultimately unlikely to have complied with the requirements of Article 12 as it did not ensure that the content of its privacy notice was provided to children in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. In addition to this, the ICO highlighted that the communications from NAC underplayed the complexity of the FRT technology. Although NAC's use of FRT involved children at secondary school under the age of 16 years old, organisations providing higher education must be aware of its obligations and responsibilities under domestic data protection legislation if they choose to implement FRT in their establishment.

Compliance with UK GDPR

FRT and other similar technologies can offer benefits within an education setting, however, the processing of special category data is not without risk.

One of the ICO's main concerns was that NAC were unable to demonstrate a lawful basis for the processing. As the FRT system is classed as special biometric data, there must be both a lawful basis for processing under Article 6 of the UK GDPR and a condition for processing the special category data under Article 9 of the UK GDPR. NAC stated they were relying on consent as its lawful basis under Article 6(1)(a) and explicit consent under Article (9)(2)(a) for processing special category data.

The ICO considered the forms sent to individuals including pupils and parents within the school and determined that consent wasn't freely given. There needs to be a genuine choice available for individuals and in this case, the NAC's FRT consent form stated, "facial recognition will be used for authenticating all secondary school pupils that require access to school meals and/or snacks, including those eligible for free school meals." This does not present FRT as an option and the ICO said it appears "unlikely" that consent was freely given.

Further to this, the ICO criticised the Data Protection Impact Assessment (DPIA) undertaken by NAC and said it was unlikely to have complied with Article 35 of the UK GDPR. In particular, there were no risks identified in the DPIA relating to the processing of children's biometric data and NAC should have ensured that its DPIA contained advice from its Data Protection Officer (DPO) to show that the controller had considered all relevant risks and what, if any, changes had been made a result.


Whilst the decision to implement FRT in certain situations may be controversial, this investigation represents a recognition by the ICO that FRT represents a progressive means of processing data, particularly in the education sector. Notwithstanding the ICO's agreement that implementation can be done successfully, organisations must keep a mind to the restrictions imposed on them as data controllers, by the domestic data protection legislation. To increase confidence in their compliance with the UK GDPR, we recommend that organisations using FRT should:

  • Ensure there is a valid lawful basis for processing personal data. When processing special category data, you must ensure a further condition for lawful processing in accordance with Article 9 of the UK GDPR.
  • Ensure that the processing is transparent. It is vital that organisations are able to explain in appropriate language how individuals' data will be collected, used, stored, and retained. The risks associated with its processing should be clearly set out in a legible format which can be accomplished by producing an appropriate privacy notice.
  • Ensure that a comprehensive DPIA that complies with Article 35 requirements has been completed. The DPIA should also consult the advice of the organisations DPO and document this.

You can view the full statement relating to NAC's use of FRT by the ICO here.

Should you require any assistance or advice in relation to implementing FRT within your organisation and/or conducting an audit of your existing FRT process, please do not hesitate to contact our GPI team at, where we will be more than happy to assist you with matters or concerns you have.

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here. Authorised and regulated by the Financial Conduct Authority.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.