The Details Commissioner’s Jam of business has reprimanded Chelmer Valley High College in Chelmsford for introducing facial recognition and failing to behavior a legally required files security impression evaluate and produce the particular consent of students
The UK’s files regulator has reprimanded a secondary college in Essex for illegally deploying facial-recognition technology to remove cashless canteen funds from students.
Below the UK Classic Records Security Regulation (GDPR), the Details Commissioner’s Jam of business (ICO) has the facility to help formal reprimands, as neatly as fines and other enforcement notices, when organisations destroy the law.
Which potential that of the high files security risks associated with processing sensitive biometric files, organisations looking to deploy facial recognition for the processing of young other folks’s files are obliged to provide files security impression assessments (DPIAs) to call and arrange risks with the system.
Despite this factual requirement, the ICO came across that Chelmer Valley High College in Chelmsford started the spend of the facial-recognition system – supplied by CRB Cunninghams – in March 2023 without ever having done a DPIA. It said this intended no prior evaluate used to be manufactured from the dangers to the 1,200 young other folks’s files attending the college.
“A DPIA is required by law – it’s no longer a tick-field exercise. It’s a if truth be told foremost tool that protects the rights of customers, affords accountability and encourages organisations to factor in files security at the originate of a venture,” said Lynne Currie, the ICO’s head of privateness innovation.
“Handling other folks’s files accurately in a college canteen atmosphere is as foremost as the coping with of the food itself. We count on all organisations to provide the compulsory assessments when deploying a brand unique technology to mitigate any files security risks and shatter certain their compliance with files security laws.
“We’ve taken action against this college to illustrate introducing measures a lot like FRT must no longer be taken calmly, namely when it entails young other folks.”
Currie added that whereas the ICO does no longer want to discourage faculties from embracing unique technologies, safeguarding young other folks’s privateness and files rights need to stay at the forefront.
The regulator furthermore came across that the college didn’t produce obvious consent to task the students’ biometric files, and failed to search the advice of with either them or their other folks sooner than imposing the tech.
In step with the reprimand, whereas a letter used to be sent to other folks in March 2023 with a lumber for them to realize in the event that they didn’t desire their child to remove part, there used to be furthermore no likelihood to give consent to the design, that suggests the college used to be wrongly counting on assumed consent till November 2023.
The ICO added that because most students were passe sufficient to provide their very comprise consent (under UK files security law, the age of consent for processing a child’s inner most files is 13 years passe), the “parental select-out disadvantaged students of the flexibility to exercise their rights and freedoms”.
The college furthermore failed to search the advice of with its comprise files security officer, which the ICO said it believes would devour helped obvious up any compliance points sooner than the processing starting off.
To clear up the points, the ICO said that Chelmer Valley need to total a DPIA and integrate the outcomes reduction into the venture plans sooner than any unique processing, noting the evaluate must “give thorough consideration to the necessity and proportionality of cashless catering, and to mitigating particular, extra risks a lot like bias and discrimination”.
It added that the college has since done a DPIA for the facial-recognition system in November 2023, which used to be then submitted to the ICO by its DPO, as neatly as taken remedial steps to provide particular select-in consent from students passe sufficient to give it.
Nonetheless, it furthermore illustrious that the reprimand used to be no longer legally binding and that following these suggestions used to be voluntary for the college.
“If at some point the ICO has grounds to suspect that Chelmer Valley High College will not be any longer complying with files security law, any failure by Chelmer Valley High College to rectify the infringements place out on this reprimand (that will seemingly be done by following the commissioner’s suggestions or taking alternative appropriate steps) will seemingly be taken into fable as an demanding part in deciding whether or no longer to remove enforcement action,” it said.
The regulator previously said in 2021 that faculties the spend of facial recognition systems need to pay attention to less intrusive programs to let pupils pay for meals, whereas a bunch of marketing campaign groups – including Liberty and Shield Digital Me – devour prolonged argued that facial recognition and other biometric identification technologies construct no longer devour any role in faculties.
The frail biometrics commissioner for England and Wales, Fraser Sampson, furthermore previously said there devour been evident risks with the spend of biometric files and technology in college settings, which could presumably per chance presumably result in surveillance being normalised to young other folks.
Computer Weekly contacted Chelmer Valley, but didn’t receive a response by time of e-newsletter.
Learn more on Colossal files analytics
![]()
UK files regulator must investigate police cloud deployments
By: Sebastian Klovig Skelton
![]()
Police Scotland didn’t search the advice of ICO about high-likelihood cloud system
By: Sebastian Klovig Skelton
![]()
ICO prompts confusion over police cloud legality
By: Sebastian Klovig Skelton
![]()
High 10 police technology tales of 2023
By: Sebastian Klovig Skelton
