Biometric technology systems in schools: guidance

Considerations when implementing biometric technology systems

Consideration of the introduction of biometric technology systems

27. The decision to use biometric technology systems in schools is a local level decision for each education authority. The key issues to consider include whether the use of biometric data is proportionate (that is whether there is an identified need for this type of technology solution) and the potential impact this may have on data subjects. Additional key issues include the question of consent and the option to opt out.

28. The data protection principles of the UK GDPR are to be considered when an education authority is deciding whether to introduce a biometric technology system and which system is most appropriate. Therefore, an important question to be addressed is whether there is an identified need for this type of technology and its potential impact on data subjects, by considering factors such as:

• the school environment - does the nature of the school environment require high levels of security?
• existing systems - is the adequacy, efficiency, or reliability of existing systems in doubt, such that a new solution is required?
• has there been an examination of a number of types of system solutions, both biometric and non-biometric that are available?
• what are the evidenced benefits of a biometric technology system over other options?
• could an alternative system such as a smartcard be a less intrusive solution and provide the same outcome?
• has a DPIA been carried out? (see paragraphs 59 to 62 below)
• can the biometric technology system provide transparency of operation, accuracy of data and appropriate security, to ensure data protection principles and requirements are met?
• is the biometric technology system a self-contained system, where images cannot readily be used by computers running other fingerprint recognition applications?
• can an effective and user-friendly system be put in place for pupils who wish to opt out of any biometric technology system?
• can the education authority ensure that pupils who are unable to provide biometric data, because of a disability for example, are not discriminated against by being required to operate an alternative system?

29. Education authorities are reminded that it is not necessary to introduce biometric systems to meet the duty set out in section 53B of the Education (Scotland) Act 1980, to take reasonable steps to ensure that those in receipt of free school meals cannot be identified as such by anyone other than an authorised person. There is a variety of ways in which this can be achieved, which do not require a biometric type of solution, for example smartcards.

30. When introducing systems, for example, to enable pupils to collect their school lunches in a quick and convenient way, education authorities should contemplate what it considers to be the best and least privacy intrusive method. Before making a final decision, education authorities should undertake a balancing exercise - particularly where less-intrusive methods are available. This balancing exercise should consider relevant factors such as speed, reliability, and ease of use etc. It is also essential to take account of equalities-related considerations, such as accessibility for pupils with disabilities or other additional support needs. If there are concerns about accessibility, alternative systems should be put in place. Education authorities should be able to demonstrate that the adopted system is a necessary and proportionate solution and a rationale for its use should be documented.

Lawfulness, fairness and transparency of biometric systems

31. When proposing the introduction of biometric systems, education authorities must have an appropriate lawful basis for processing personal data (as set out in more detail in paragraph 22 above) and should not do anything with the personal data that would be unlawful in a more general sense.

32. Education authorities must process personal data fairly. This means that the data must not be processed in a way that is unduly detrimental, unexpected, or misleading to the data subjects concerned etc. Personal data should only be processed in a manner that data subjects would reasonably expect. In order to assess whether or not data is being processed fairly, it is essential to consider how such processing affects the interests of the data subjects concerned, both as a group and individually.

33. In relation to biometric systems that use artificial intelligence (AI), the risks to the rights and freedoms of pupils that may arise when using AI should be assessed and appropriate technical and organisational measures should be implemented to mitigate these risks. Any processing of personal data using AI that leads to unjust discrimination between people, will violate the fairness principle. Further information about fairness in relation to AI is available on the ICO’s website through the following link: About this guidance | ICO.

34. Transparency is fundamentally linked to fairness and encourages personal data to be processed in a manner that is clear, open and honest. Data subjects should know at the outset about who is processing their data as well as how and why such data will be processed. It is also essential to tell data subjects about processing in a way that is accessible and easy to understand. Further information about fairness and transparency is available on the ICO’s website: Principle (a): Lawfulness, fairness and transparency | ICO.

35. Children must be provided with the same information about data processing as adults to ensure children are provided with choice and control over the processing of their data. Further information about how the right to be informed affects children is available on the following web link: How does the right to be informed apply to children? | ICO.

Consultation

36. Under the Scottish Schools (Parental Involvement) Act 2006, education authorities have a duty to promote the involvement of parents/carers in the education provided by the school. Section 2 of the Standards in Scotland’s Schools etc. Act 2000 also requires education authorities to have due regard (as far as is reasonably practicable) to the views of the children or young persons in decisions that significantly affect them, taking account of the child or young person’s age and maturity. Accordingly, education authorities are expected to inform, consult, and consider the views of parents/carers and pupils in relation to the implementation of biometric technology systems in schools. It is essential that the views of parents/carers and pupils are sought at an early stage.

37. Before deciding to install a biometric technology system, education authorities must carry out a DPIA (see paragraph 62). Education authorities should be open and transparent with parents/carers and pupils when considering the implementation of biometric technology systems in schools. Clear and unambiguous information should be provided which sets out the purpose(s) of this exercise and how pupils’ data will be processed. Education authorities should explain how special category personal data will be kept safe and have clear retention policies that allow them, for example, to reassure parents/carers and pupils that all biometric data will be destroyed when the pupil leaves the school. Information concerning consent, how to opt out and alternative systems which may be used should also be made available. Acknowledgement of the privacy rights children have under Article 8 of the European Convention on Human Rights and Article 16 of the United Nations Convention on the Rights of the Child would also be helpful.

Consent

38. Consent is another example of one of the six available lawful bases mentioned in the UK GDPR. If consent is to be used as a lawful basis, education authorities must ensure that it meets the high standards set out in the UK GDPR. Consent must be freely given, specific and fully informed. The element ‘free’ implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. It must also be revocable (i.e., pupils must be able to withdraw their consent) and education authorities should have clear procedures in place to action and record this.

39. Explicit consent can also legitimise the use of special category personal data. This is not defined in the UK GDPR, but it is not likely to be significantly different from the high standards of consent set out in paragraph 38 above. The key difference is likely to be that explicit consent must be affirmed in an oral or written clear statement. Further information about consent, including explicit consent, is available on the ICO’s website: What is valid consent? | ICO.

40. Where pupils and/or parents/carers object to the use of their biometric data and choose to opt out of activities concerned with the processing of that data, the education authority must delete any such data. Education authorities should reassure families that, for example, the Young Scot card is not capable of holding biometric data and that such data will not be held on the pupils’ educational records. Further information about taking the needs of pupils with disabilities into account is covered in paragraph 45 below.

41. Education authorities must also provide pupils (or their parents/carers where a pupil does not have capacity) with a privacy notice which sets out the purposes for processing their personal data, retention periods for that data, and who the data will be shared with.

42. Section 208 of the Data Protection Act 2018 provides that individuals are to be taken to have capacity, in relation to exercising data protection rights and giving data protection consent, where the individual has a general understanding of what it means to exercise such rights or give such consent. In Scotland, children aged 12 or over are presumed to be of a sufficient age and maturity to be able to exercise their data protection rights, unless it can be proven otherwise. In practice this means that those aged 12 or over would be expected to consent for their own personal data use unless they do not have capacity.

43. In circumstances where a pupil is considered to not be of sufficient age, maturity, or capacity in data protection terms, an education authority should normally seek the consent of a person with parental responsibilities for that pupil, unless it is considered that this would be against the best interests of the pupil. For pupils over the age of 12, it would also be appropriate to document why it is believed that the pupil is not of sufficient age and maturity to provide their own consent. If consent is to be accepted from a person with parental responsibilities, consideration should be given about how to let the pupil know they have a right to withdraw such consent once they are deemed to have the capacity to make this decision.

44. The ICO website states that children need particular protection when processing their personal data because they may be less aware of the risks involved. When processing children’s personal data, children’s rights should be protected from the outset, and systems and processes should be designed with this in mind. Further information is available on the ICO website at: Children | ICO.

Providing alternative arrangements for pupils

45. Under the provisions of Part 6 of the Equality Act 2010, education authorities need to consider how they will ensure that pupils who are unable to provide biometric data, because of a disability for example, are not discriminated against by being required to operate an alternative system. It is for education authorities to decide at a local level what alternative arrangements should be put in place under such circumstances. Alternative options could include the use of smartcard systems.

46. In addition, where any pupil and/or parents/carers simply chooses to opt out of processes using biometric data, access to alternative systems such as smart cards should be offered so that those who wish to opt out can be given another means of accessing the same services without detriment. Parents/carers and pupils should be made aware of the option to opt out, and they should also be given details about what alternatives are available.

Security

47. Education authorities must process personal data in a secure manner and ensure such data is protected from unauthorised processing and accidental loss, destruction, or damage. This obligation is set out in the sixth data protection principle under Article 5 of the UK GDPR.

48. Education authorities should implement appropriate technical and organisational measures to ensure biometric data and systems are secure. Article 32 of the UK GDPR refers to encryption (a mathematical function that encodes data in such a way that only authorised users can access it) as an example of an appropriate technical measure. Education authorities are expected to store biometric data securely, not keep such data for longer than necessary and ensure that the data is only processed for the purposes for which they are obtained.

49. Education authorities must have written contracts with any third party that processes personal data on their behalf and ensure such processing is carried out in accordance with the 2018 Act and the UK GDPR. Education authorities should also consult with their Data Protection Officer where necessary to obtain further information on their data protection obligations.

50. In relation to personal data breaches, education authorities must have a response plan in place to address such breaches and a process to notify the ICO of a serious breach within 72 hours of becoming aware of it. Further information about reporting a personal data breach is available on the ICO website: Report a breach | ICO.

Data Protection Officers

51. Under the UK GDPR, education authorities have a duty to appoint a Data Protection Officer (DPO) who is to assist with monitoring internal compliance, inform and advise on data protection obligations and DPIAs, as well as act as a contact point for data subjects and the ICO. A DPO can be an existing employee or externally appointed. Further information about the role of a DPO is available through the following web link: Data protection officers | ICO.

52. Where an education authority wishes to introduce a biometric technology system, they should seek advice from their DPO before making any decision to proceed with the use of such a system. The DPO is not personally liable for compliance with the UK GDPR and other data protection laws. This responsibility remains with the education authority.

Accuracy

53. Personal data requires to be accurate and, where necessary, kept up to date under the fourth data protection principle in Article 5 of the UK GDPR. Additionally, education authorities are required to take every reasonable step to erase or rectify inaccurate personal data without delay, having regard to the purposes for which the data is processed. Therefore, education authorities must ensure biometric technology systems accurately identify pupils and update characteristic images where appropriate. For example, if there is a relevant change to a pupil’s physical characteristic, such as a fingerprint becoming distorted due to an injury, a procedure should be put in place to update the image where necessary.

Access and use of data

54. There should be clear procedures and rules restricting access to biometric data. For example, access controls could be used to ensure only authorised persons access this data. Procedures should specify why, when, and how access to biometric data will be permitted. A record of access to this data should also be developed. Biometric data should not be passed to any third parties, except where allowed for under the 2018 Act.

55. Biometric systems should be self-contained systems, whose data cannot readily be used by computers running other fingerprint recognition applications.

56. In accordance with the second data protection principle under Article 5 of the UK GDPR, pupils’ biometric data should not be used for any purpose other than those for which it was originally obtained. The second principle provides that personal data is to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes are, in accordance with Article 89(1) of the UK GDPR, not considered to be incompatible with the initial purposes.

57. Under Article 21 of the UK GDPR, pupils have the right to object to the processing of their personal data. The right to object only applies in certain circumstances and this depends on the purpose(s) for processing and the lawful basis for processing. Where the provisions within Article 6(1)(e)^[1] or (f)^[2] of the UK GDPR are engaged, a pupil may have the right to object. The education authority should stop processing personal data under the conditions set out above, unless they can demonstrate compelling legitimate grounds for processing such data.

Retention

58. A retention policy requires to be devised in advance of the deployment of the biometric system which clearly sets out the retention period for keeping biometric data. The fifth data protection principle in Article 5 UK GDPR provides that personal data must be kept for no longer than is necessary for the purposes for which the data is processed. Therefore, it is envisaged that as soon as a pupil permanently leaves a school, their biometric data will be immediately deleted.

Data Protection Impact Assessment (DPIA)

59. Article 35 of the UK GDPR introduces the concept of a DPIA. A DPIA is a tool to help identify and minimise data protection risks. Conducting a DPIA meets, in part, an education authority’s accountability obligations under UK GDPR. An effective DPIA will allow education authorities to manage and review problems at an early stage, demonstrate compliance with data protection obligations and meet pupils’ expectations of privacy.

60. The ICO recommends undertaking DPIAs before processing biometric data and before processing data relating to vulnerable data subjects, such as children. Further information about undertaking DPIAs is available on the ICO website: When do we need to do a DPIA? | ICO.

61. There is no definitive DPIA template that must be followed. Education authorities can use a standard template or develop their own template to suit their particular needs. Further guidance on DPIAs and a sample template is available on the ICO website at How do we do a DPIA? | ICO.

62. A DPIA does not eradicate all risk but should help minimise and determine whether, or not, the level of risk is acceptable in the circumstances. A DPIA is legally required where processing “is likely to result in a high risk,” such as significant physical, material, or non-material harm to individuals. In circumstances where a DPIA identifies a high risk, and measures cannot be put in place to reduce this, the education authority must consult with the ICO before processing such data under Article 36 of the UK GDPR. The ICO considers that any processing of biometric data is likely to result in a high risk. Accordingly, education authorities are to conduct a DPIA before processing biometric data. More detailed information on DPIAs is available on the ICO's website through the following link: Data protection impact assessments | ICO.

Critical risk management

63. Education authorities should ensure that adequate back-up systems and plans are in place to cover any breakdown or issues with the biometric technology system.