25 April, 2023
In a statement published 31 January 2023, the ICO confirmed its view that North Ayrshire Council's (NAC) use of Facial Recognition Technology (FRT) for cashless catering purposes in canteens at nine of its schools is likely to have infringed articles of the UK General Data Protection Regulations (UK GDPR). The new system, which has proved controversial, was implemented with the intention of speeding up queues at lunch time and was suggested to be a more Covid-secure solution than card payments or fingerprint scanners.
In this article we explore the circumstances that gave rise to investigation by ICO and the issues FRT pose as a result of domestic data protection legislation in England and Wales.
An enquiry by the ICO was undertaken after privacy campaigners raised concerns over NAC's use of FRT for some of its pupils. Somewhat significantly, the ICO concluded that whilst it may be possible to deploy FRT in schools lawfully, in this case, NAC did not.
More specifically, the ICO were concerned that the technology had been deployed in a manner that is likely to have infringed various data protection laws including Article 5(1)(a) of the UK GDPR relating to personal data being processed lawfully, fairly and in a transparent manner. Individuals have the right to be informed about the collection and use of their personal data; this is a key transparency requirement under the UK GDPR as set out under Article 5(1)(a) and in Articles 12 and 13. The ICO commented that NAC took steps to alert children and parents to the processing of their biometric data via a number of channels including emails, social media, and FAQs. Whilst the ICO described this as "positive", its view was that the NAC was ultimately unlikely to have complied with the requirements of Article 12 as it did not ensure that the content of its privacy notice was provided to children in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. In addition to this, the ICO highlighted that the communications from NAC underplayed the complexity of the FRT technology. Although NAC's use of FRT involved children at secondary school under the age of 16 years old, organisations providing higher education must be aware of its obligations and responsibilities under domestic data protection legislation if they choose to implement FRT in their establishment.
FRT and other similar technologies can offer benefits within an education setting, however, the processing of special category data is not without risk.
One of the ICO's main concerns was that NAC were unable to demonstrate a lawful basis for the processing. As the FRT system is classed as special biometric data, there must be both a lawful basis for processing under Article 6 of the UK GDPR and a condition for processing the special category data under Article 9 of the UK GDPR. NAC stated they were relying on consent as its lawful basis under Article 6(1)(a) and explicit consent under Article (9)(2)(a) for processing special category data.
The ICO considered the forms sent to individuals including pupils and parents within the school and determined that consent wasn't freely given. There needs to be a genuine choice available for individuals and in this case, the NAC's FRT consent form stated, "facial recognition will be used for authenticating all secondary school pupils that require access to school meals and/or snacks, including those eligible for free school meals." This does not present FRT as an option and the ICO said it appears "unlikely" that consent was freely given.
Further to this, the ICO criticised the Data Protection Impact Assessment (DPIA) undertaken by NAC and said it was unlikely to have complied with Article 35 of the UK GDPR. In particular, there were no risks identified in the DPIA relating to the processing of children's biometric data and NAC should have ensured that its DPIA contained advice from its Data Protection Officer (DPO) to show that the controller had considered all relevant risks and what, if any, changes had been made a result.
Whilst the decision to implement FRT in certain situations may be controversial, this investigation represents a recognition by the ICO that FRT represents a progressive means of processing data, particularly in the education sector. Notwithstanding the ICO's agreement that implementation can be done successfully, organisations must keep a mind to the restrictions imposed on them as data controllers, by the domestic data protection legislation. To increase confidence in their compliance with the UK GDPR, we recommend that organisations using FRT should:
You can view the full statement relating to NAC's use of FRT by the ICO here.
Should you require any assistance or advice in relation to implementing FRT within your organisation and/or conducting an audit of your existing FRT process, please do not hesitate to contact our GPI team at email@example.com, where we will be more than happy to assist you with matters or concerns you have.
Learn more about our Education department here