The guidance comes following the case of Bridges in which the Court of Appeal criticised the South Wales Police Forces use of live facial recognition software. TPP has covered the Bridges appeal in depth.
TPP is pleased to announce that the article that appeared on this site analysing use of facial recognition software in schools in North Ayrshire has been republished by the Student Lawyer.
The Student Lawyer is a go-to legal news and blogging site for law students. You can find the article here.
According to the Financial Times and Guardian the ICO is set to intervene in nine schools in North Ayrshire following the discovery that pupils faces were being scanned in lunch queues to take payments.
The ICO commented:
“Data protection law provides additional protections for children, and organisations need to carefully consider the necessity and proportionality of collecting biometric data before they do so. Organisations should consider using a different approach if the same goal can be achieved in a less intrusive manner. We are aware of the introduction, and will be making inquiries with North Ayrshire council.”
Whilst the company that provides the software argues this a safe way to take payments in the age of covid the question, as the ICO rightly posits, clearly arises as to whether a less invasive method of safely taking payments could be used.
Simple measures such as issuing pupils with lunch cards that they can scan to identify themselves or even with just a unique ID number that could easily be anonymised and aggregated, would just as easily serve this purpose.
Under Article 35 of the GDPR a Data Protection Impact Assessment must be made before this software is used. This would assess whether the use of facial recognition software was a proportionate means for achieving the legitimate aim of securely taking card payments. Aspects such as the retention period of data, storage methods, basis for processing, safeguards and processes for gathering consent must be considered.
Schools should have mechanisms and documentation in place to explain to children the circumstances of this data collection, storage and their rights under the GDPR, including an option to opt out of the data collection.
Under the GDPR the age where children can consent to the sharing of their personal data in England and Wales is as low as is permissible- thirteen. In Scotland, the location of the schools, the age is lower- at twelve years of age.
Interestingly, North Ayrshire Council indicated that 97% of pupils or their parents had given consent to this process. The Council has temporarily paused the rollout of the software given the ICO’s intervention.
CBR Cumminghams, a company that provides the software, stated that their cameras check pupils faces against encrypted templates, an thus operated differently to “live” facial recognition used by the police to scan for criminal activities, that was challenged in the Bridges case.
A Principal of one of the schools, David Waugh, commented:
“The combined fingerprint and facial recognition system was part of an upgrade to the catering cashless system, so that the time it takes to serve students is reduced, thus giving a better dining experience. However, we will not be using the facial recognition aspect.”
“The algorithms of the law must keep pace with new and emerging technologies.”- at p
The Administrative Court, with Haddon-Cave LJ and Swift J sitting, has heard the first case on the lawfulness of the police using automated facial recognition software (“AFR”). The case concerned the South Wales Police (“SWP”) use of AFR in two instances where they allegedly recorded the image of the Claimant. Once on 21 December 2017 at Queen Street Cardiff and another at the Defence Procurement, Research, Technology and Exportability Exhibition (“the Defence Exhibition”) on 27 March 2018.