According to the Financial Times and Guardian the ICO is set to intervene in nine schools in North Ayrshire following the discovery that pupils faces were being scanned in lunch queues to take payments.
The ICO commented:
“Data protection law provides additional protections for children, and organisations need to carefully consider the necessity and proportionality of collecting biometric data before they do so. Organisations should consider using a different approach if the same goal can be achieved in a less intrusive manner. We are aware of the introduction, and will be making inquiries with North Ayrshire council.”
Whilst the company that provides the software argues this a safe way to take payments in the age of covid the question, as the ICO rightly posits, clearly arises as to whether a less invasive method of safely taking payments could be used.
Simple measures such as issuing pupils with lunch cards that they can scan to identify themselves or even with just a unique ID number that could easily be anonymised and aggregated, would just as easily serve this purpose.
Under Article 35 of the GDPR a Data Protection Impact Assessment must be made before this software is used. This would assess whether the use of facial recognition software was a proportionate means for achieving the legitimate aim of securely taking card payments. Aspects such as the retention period of data, storage methods, basis for processing, safeguards and processes for gathering consent must be considered.
Schools should have mechanisms and documentation in place to explain to children the circumstances of this data collection, storage and their rights under the GDPR, including an option to opt out of the data collection.
Under the GDPR the age where children can consent to the sharing of their personal data in England and Wales is as low as is permissible- thirteen. In Scotland, the location of the schools, the age is lower- at twelve years of age.
Interestingly, North Ayrshire Council indicated that 97% of pupils or their parents had given consent to this process. The Council has temporarily paused the rollout of the software given the ICO’s intervention.
CBR Cumminghams, a company that provides the software, stated that their cameras check pupils faces against encrypted templates, an thus operated differently to “live” facial recognition used by the police to scan for criminal activities, that was challenged in the Bridges case.
A Principal of one of the schools, David Waugh, commented:
“The combined fingerprint and facial recognition system was part of an upgrade to the catering cashless system, so that the time it takes to serve students is reduced, thus giving a better dining experience. However, we will not be using the facial recognition aspect.”
Mischon de Reya has a excellent analysis of these issues, which cover Scotland and are thus outside of TPP’s remit. The BBC also reports on the story.