Use of biometric information in schools
The use of biometric technologies such as fingerprint identification, iris and retina scanning, facial recognition and hand geometry is becoming increasingly common in both the public and private sectors. In recent years, schools have begun to use automated fingerprint identification systems (AFIS) for a variety of purposes including access to school buildings, monitoring attendance, the borrowing of library books and cashless catering. Unlike the alternatives, a fingerprint cannot be lost or stolen, and the technology allows for speed and ease of access.
However, the use of biometric information has proved to be a sensitive issue. Fingerprinting is stigmatised as being indicative of mistrust and increased state intrusion on privacy. There are also security concerns associated with potentially interoperable biometric systems, where information is compatible with external applications and is therefore vulnerable to theft. As such, the law governing the use of biometric information in schools has been the subject of recent review.
Data Protection Act 1998: the current situation
The processing of biometric information is subject to the provisions of the Data Protection Act 1998 (“DPA”), as it falls within the act’s definition of ‘personal data’. The DPA requires schools to process personal data ‘fairly and lawfully’. More specifically, the ‘data subject’ must be informed about, and understand the reasons for which, their personal data is being processed. For the purposes of the DPA, the pupils themselves are the data subjects and accordingly their consent is required, unless the data processing is deemed ‘necessary’ for the school’s ‘legitimate interests’.
At the same time there is no statutory requirement, in the case of a person under 18 years of age, for consent to the processing to also be obtained from the data subject’s parents. Guidance issued in 2008 by the Information Commissioner’s Office (“ICO”) suggested that parents should be fully involved in instances where children may not understand the implications of consenting to the use of AFIS. It was further noted that parents could rightly expect to be informed and consulted about the introduction of biometric systems into their child’s school.
Additionally, in view of the sensitivity of the issue, it was recommended that schools offer flexibility, allowing those who wish to opt out of AFIS alternative means of accessing the same services. This point is particularly pertinent in the context of non-discrimination against persons with a ‘protected characteristic’ under the Equality Act 2010, such as disability, race or religion.
Developments under the Protection of Freedoms Act 2012
Following concerns expressed by some teachers, parents and civil liberties groups, the use of biometric information in schools has been readdressed and additional requirements introduced under the Protection of Freedoms Act 2012 (“PFA”). The Minister for Schools, Nick Gibb, commented that children’s biometric data was sensitive personal information and as such parents must have the right to prevent its use by schools.
The new rules under the PFA are expected to come into force in September 2013 and should be read in conjunction with the DPA. They will require that both parents be informed in writing of the intention to process their child’s biometric information, and that written consent to the processing be obtained from at least one parent. Processing of the data will not be permitted if a parent objects in writing, and furthermore the child themselves can refuse to participate, irrespective of any parental consent. A reasonable alternative means of accessing the relevant services must also be provided where either a parent or child objects.
Earlier this year, the ICO conducted a survey of 400 schools and produced a report advising on data protection issues. The survey found that fewer than 10% of schools were currently utilising biometric information, but the report indicated that this figure was expected to increase. Furthermore, it was found that, whilst there was a general awareness of data protection law, schools needed to focus on compliance with the rules in practice.
In light of the above and the impending legal developments, schools currently using, or intending to introduce, biometric technologies would be advised to review their procedures to ensure they can provide adequate data protection for their pupils.
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.