Biometric technology systems in schools: guidance

Relevant legislation

Legislative context

16. Section 1 of the Education (Scotland) Act 1980 places a duty on every education authority “to secure that there is made for their area adequate and efficient provision of school education and further education”. Section 17(1) of the Education (Scotland) Act 1980 places a further duty on education authorities to provide for their area sufficient accommodation in public schools and other educational establishments under their management to enable them to perform their functions. The education authority may, for the purposes of fulfilling this duty, provide, alter, improve, enlarge, equip, and maintain schools and other educational establishments outwith as well as within their area. Accordingly, education authorities can implement biometric systems in schools, so long as this complies with the relevant data protection legislation.

The Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR)

17. The Data Protection Act 2018 (the 2018 Act) sets out the framework for data protection law in the UK. The 2018 Act was amended on 1 January 2021 by regulations made under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU. The 2018 Act sits alongside and supplements the UK GDPR. Further guidance on the 2018 Act is available on the ICO website at: introduction-to-dpa-2018-1-0.pdf (ico.org.uk).

18. The UK GDPR came into effect on 1 January 2021. It sets out the key principles, rights, and obligations for the processing of personal data in the UK (except for law enforcement and intelligence agencies). The UK GDPR is based on the EU GDPR which applied in the UK before 1 January 2021, with some changes to make it work more effectively in a UK context. Further guidance on the UK GDPR is available at Guide to the General Data Protection Regulation (GDPR).

19. The above legislation governs the processing of personal data. The term “processing” includes (but is not limited to) the obtaining, recording, holding, using, organising, disclosing, altering, or erasing of personal data. The term “personal data” refers to data which relates to an individual who can be identified or who is identifiable from that data (or from a combination of that data and other information).

20. There are different types of personal data and certain types require more protection as this data is sensitive. This type of data is known as “special category personal data” and includes data which reveals or concerns racial or ethnic origins; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where used for identification purposes); health; sex life and sexual orientation. Further information is available on the ICO website at Special category data | ICO.

21. The 2018 Act and the UK GDPR apply to education authorities as they process personal data. Education authorities are therefore “data controllers” as they determine the purpose(s) and means in which personal data is processed. The pupils to whom the data relates are “data subjects.”

22. Before processing personal data, education authorities must determine the lawful basis for processing such data. Article 6 of the UK GDPR sets out the six lawful bases for processing data. The ICO’s website provides information about processing biometric data lawfully, which may be helpful for education authorities to consider when determining the lawful basis for processing biometric data. Biometric data (when used for identification purposes) is special category personal data. Accordingly, as well as determining a legal basis under Article 6 of the UK GDPR, education authorities must also identify a condition for processing this type of data under Article 9 of the UK GDPR although these do not have to be linked. Education authorities are to decide what lawful basis (and condition where necessary) is the most appropriate.

23. Public task is an example of a lawful basis for processing personal data. Here the data controller is to be satisfied that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Education authorities should speak with their own Data Protection Officer and legal team to check if the purpose of the data collection and processing fits within the public task basis (or any other legal basis). Further information is available on the ICO website through the following link: Public task | ICO.

24. When processing a pupil’s personal data, including special category data, education authorities must comply with the following data protection principles. The seven key principles are set out in the UK GDPR and include:

• Lawfulness, fairness, and transparency principle: education authorities must identify an appropriate lawful basis for processing (lawfulness), comply with the transparency obligations of the right to be informed by providing a privacy notice (transparency) and consider how the processing may affect the individuals concerned and be able to justify any adverse impact (fairness).
• Purpose limitation principle: data is used only for the purposes for which it is obtained and that it is not unlawfully disclosed to third parties.
• Data minimisation principle: education authorities must ensure that the data they collect is adequate, relevant, and limited to what is necessary.
• Accuracy principle: education authorities must take reasonable steps to ensure the data they hold is not incorrect or misleading as to any matter of fact.
• Storage limitation principles: ensures that data is kept no longer than necessary. A school should, therefore, destroy any data held on a biometric technology system once a pupil no longer uses the system. For example, the data should be destroyed if the pupil leaves the school, or if consent is withdrawn.
• Integrity and confidentiality (security) principle: data must be kept secure to prevent unauthorised or unlawful use of the data.
• Accountability principle: requires education authorities to take responsibility for what they do with personal data and how they comply with the other principles. For example, when conducting a data protection impact assessment (DPIA) for high-risk processing. Further information about DPIAs are set out in more detail in paragraphs 59 to 62.

25. In addition, education authorities must process personal data in accordance with data subjects’ rights and must not transfer the data to other countries that do not have the same level of data protection.

Other legislation

26. While this document primarily provides guidance in respect to data protection legislation, there are other legal considerations that apply to the processing of personal data more generally, such as the Human Rights Act 1998, the Equality Act 2010, and the common law duty of confidentiality. Education authorities may wish to seek their own legal advice on these matters where appropriate.