EDPO (European Data Protection Office)’s Post

🔒 𝗗𝗮𝘁𝗮 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗢𝘃𝗲𝗿𝘀𝗶𝗴𝗵𝘁 𝗶𝗻 𝗦𝗰𝗵𝗼𝗼𝗹𝘀👩🎓👨🎓 The Chelmer Valley High #School case underscores the critical importance of conducting thorough #risk #assessments, such as Data Protection Impact Assessment (#DPIA), when implementing new technologies like facial recognition 📷. The lack of a DPIA resulted in the school failing to properly safeguard sensitive #biometric data, violating students' privacy rights and legal obligations. This incident highlights the need for organizations to prioritize data protection from the #outset, ensuring trust and compliance especially when dealing with vulnerable groups as such as children or teenagers. #DataPrivacy #FacialRecognition #DataProtection #EdTech #DPIA ________________ ⚜ Andrée Gal, Business Attorney, Board Advisory ✍ My topics on LinkedIn: #leadership #corporatelaw #financiallaw #sustainablefinance and #corporategovernance ⭐ Like this post ? Want to see more ? 🔔 Ring it on my profile ⏫ 🔝 Follow me 🔝 Connect with me

The Information Commissioner's Office #ICO has reprimanded an Essex school for its use of facial recognition technology to process canteen payments. The school's deployment of this technology without adequate consent and transparency raised concerns over potential violations of data protection regulations. The ICO found that the school had failed to inform students and their parents about the use of facial recognition technology or the associated risks. Additionally, the school did not seek the required consent for processing biometric data, which includes facial images. This violated the General Data Protection Regulation (GDPR). The use of such technology in schools and other public areas has raised significant privacy concerns, especially when collecting biometric data without proper consent. The ICO emphasizes that organizations must follow strict guidelines when using such technology to ensure compliance with data protection regulations. This includes providing clear information about its purpose and obtaining explicit consent from individuals whose data is being processed. The headmistress of the school issued an apology for the concerns raised and acknowledged the need for proper communication and consent in the use of facial recognition technology. The school has since ceased using the technology and committed to implementing more informed and compliant practices in the future. The ICO's reprimand serves as a reminder to all organizations that the use of advanced technologies, particularly those involving biometric data, must be handled with utmost care and transparency. It underscores the importance of maintaining individuals' privacy rights and complying with data protection laws to avoid potential penalties and reputational damage. #FacialRecognitionTechnology #DataProtection #PrivacyRights #TechnologyInSchools #ConsentMatters #DataCompliance #ICO #GDPR #BiometricData #Transparency

We mentioned the ICO’s action against North Ayrshire Council and Serco over improper use of Facial Recognition Technology last week. Chelmer Valley High School, in Essex, have now been reprimanded for illegal use of FRT. The ICO’s head of privacy innovation said: “We’ve taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children. A DPIA is required by law – it's not a tick-box exercise. It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project.” If you are using FRT or planning its implementation talk to CSRB via info@csrb.co.uk for advice on data protection impact assessments. #FRT #gdpr #education #privacy #personaldata https://lnkd.in/ekWPrawY

I could easily write only about the Information Commissioner’s capitulation in the face of blatant breaches of data protection law in an Essex academy school. It’s not just that the school failed to carry out a DPIA before introducing facial recognition, school “leaders” failed to consult the DPO. But at this point, the Commissioner’s refusal to enforce the law has to be priced in. Compliance with the UK GDPR is optional. But let’s assume that it’s something your organisation or client wants to do. There’s not much to learn here because the breaches are so basic. The message is comply with the headline requirements of the law; that’s what they didn’t do. But I have a more subtle message, and some of you will hate it. Every time facial recognition causes problems, the same comment is made, often by the same people. Facial recognition should be banned. Nobody should use it. If that’s how you open, prepare to be ignored. Facial recognition is embedded in shops and businesses across the UK. The main legal challenge to the technology failed to get it banned (indeed, the police force that lost the case treated it as a soft win). It’s mainstream. Even here in this limp response, the Commissioner is looking at the how, not the what. John Edwards isn’t going to ban facial recognition anywhere, anytime. So if you say it mustn’t be used, you’re going to look at odds with reality. This isn’t to say that facial recognition is good or that there isn’t a plausible case for banning it. It’s just that the technology’s increasing normalisation has to be acknowledged. But the basic problem that many FR systems are badly trained hasn’t gone away. This technology is the source of active discrimination and unfairness. The necessity of using such systems as opposed to other less intrusive systems isn’t the slam dunk that vendors will present it as. Technology is rarely disinvented. I think the best service you can do is get yourself in the room, be seen to be an enabler not a roadblock. That way, you might mitigate the worst of it. You might even persuade your organisation that the many risks and disadvantages of FR are, in a particular case, unwarranted. I know people who have done this. If you want to take a stand and draw a line, that’s none of my business. But if anything, this reprimand entrenches FR more deeply than it was before. I think we all need to work in that context. https://lnkd.in/ezmKm4zW

With schools breaking up this week, its easy to put issues like this out of our minds but its so important to consider risks when dealing with children's data. Do complete your DPIA's. If you are unsure how or why, do get in touch. Here to help. https://lnkd.in/erfK_2eT #gdpr #dataprotectionimpactassessments #datarisk

With another school year nearly over, education managers have the chance to look at the now halted roll out of facial recognition technology (FRT) by North Ayrshire Council. This is something that has implications in many sectors. The ICO ordered Serco to stop using FRT to monitor leisure centre staff attendance in February this year. What is your opinion on the value of FRT? Do you trust it? Do you see the benefits for organisations and data subjects? https://lnkd.in/gXpgPXP2 #FRT #gdpr #education #privacy #personaldata

On July 23, 2024, Chelmer Valley High School in Chelmsford, Essex, received a reprimand for breaking the law by introducing facial recognition technology (FRT) for cashless canteen payments without a proper data protection impact assessment (DPIA). Key Points: 1. Facial Recognition Technology (FRT): - Introduced in March 2023 to take cashless canteen payments. - Processes biometric data, which carries high data protection risks. 2. Data Protection Impact Assessment (DPIA): - Required to identify and manage risks from processing sensitive data. - The school failed to carry out a DPIA before implementing FRT. Violations: 1. Consent Issues: - No clear permission obtained to process students' biometric information. - Students were not given a choice to opt-in or opt-out. - Parental 'opt-out' consent was wrongly relied upon, which is not legally valid. - Explicit 'opt-in' consent was not sought until November 2023. 2. Consultation Failures: - The school did not seek opinions from its data protection officer. - Parents and students were not consulted before implementation. The reprimand highlights the need for a DPIA as a vital tool to protect user rights, provide accountability, and ensure data protection considerations from the start of a project. Stay informed on data protection and privacy updates with Global Regulatory Insights! #DataProtection #FacialRecognition #Privacy #SchoolTechnology #GRI

A high school in Chelmsford has been reprimanded by the ICO, for breaking data protection law when it introduced facial recognition technology (FRT) in its canteen. Chelmer Valley High School started using FRT in March 2023 to take cashless canteen payments from students. As FRT processes biometric data to uniquely identify people, it results in high data protection risks. As required by UK data protection law (UK GDPR which sits alongside the 2018 Data Protection Act), to use FRT organisations must have a data protection impact assessment (DPIA) in place, to identify and manage the higher risks that may arise from processing sensitive data. The ICO found that the school failed to carry out a DPIA before using the FRT, and no prior assessment was made of the risks to the children's information. The school had not properly obtained clear consent to process the students’ biometric information and the students were not allowed to decide whether they did or didn’t want it used in this way. The school also failed to seek opinions from its data protection officer or consult with parents and students before implementing the technology. A letter was sent to parents with a slip for them to return if they did not want their child to participate in the FRT. Affirmative 'opt-in' consent wasn't sought at this time, meaning the school was wrongly relying on assumed consent. The law does not deem ‘opt-out’ a valid form of consent and requires explicit permission. The ICO also pointed out that most students were old enough to provide their own consent, therefore, parental opt-out deprived students of the ability to exercise their rights and freedoms. The reprimand comes after another ICO case involving FRT earlier this year, where the regulator ordered Serco Leisure to stop using FRT and fingerprint scanning to monitor the attendance of leisure centre employees. Serco failed to show why it was necessary or proportionate to use FRT and fingerprint when there were less intrusive means available such as ID cards or fobs. For a no-obligation conversation about data protection and how we might help, contact Prettys’ dedicated Data Protection and Privacy Team on e: dataprotection@prettys.co.uk or call 01473 232121. #dataprotection #facialrecognitiontechnology #FRT #biometric #DPO #DPIA #school #optin #chelmsford

Nice little article published on the ICO website this week, giving tips on Data Protection tips for early years settings. This is a great reminder of some simple steps organisations can follow to get off on the right foot with Data Protection. As a parent (and a Privacy Professional) it's important that I am confident that my child's nursery and now school is doing the right thing by my child's information. I would also add making sure parents know how to get in touch should they have questions and any transparency over who your child's information may be shared with (such as health peeps, school photographer) and making sure consent can be withdrawn for images being used at any time.... What else would you add? #dataprotection #dataprivacy #privacymatters #privacypros #dpo #dataprotectionofficer #gdpr #childrensdata https://lnkd.in/eBzvXivk

Major changes may be coming to data privacy policies for edtech tools used by kids under 13. The FTC has proposed updates like: ▪️Requiring parental consent for data collection ▪️Stricter limits on data retention times ▪️Enhanced data security measures While protecting student privacy is crucial these policies could impact edtech providers’ ability to continually improve tools. At Azadi Partners, we are committed to centering equity and ethics while enabling personalized, empowering learning experiences. As the policy landscape evolves, we will remain transparent, thoughtful partners to schools and creators in leveraging student data judiciously. We welcome perspectives from educators on this proposed policy shift. How can we uphold privacy while supporting learning? Please share your thoughts below!