NEW: We’ve taken action against Chelmer Valley High School in Essex for introducing facial recognition technology (FRT) to take cashless payments. Read on to see what you can learn from the case ⬇️ ⚖️ The case Chelmer Valley High School first started using the technology in March 2023 to take cashless canteen payments from students. However, the school failed to carry out a DPIA before using the technology. We found that the school sent a letter to parents and guardians in March 2023 if they did not want their child to take part in FRT. This means the school relied on assumed consent and affirmative 'opt-in' consent wasn't sought at this time. The law does not deem ‘opt out’ a valid form of consent and requires explicit permission The school failed to consult with parents, guardians, students or the data protection officer before implementing the technology. 💡 What schools can learn from the case 1. Ensure that your entire organisation knows to ask themselves the question whenever using personal information in a new or different way, does this need a DPIA? ➡️ See our accountability framework to help you assess your processes: https://lnkd.in/eWHiYGwb 2. If you’re considering cashless catering ensure you have given thorough consideration to it’s necessity and proportionality, and to mitigating specific, additional risks such as bias and discrimination. ➡️ See our FRT guidance: https://lnkd.in/eWvs-_th ➡️ See our case study on North Ayrshire Council schools and their use of facial recognition technology: https://lnkd.in/ePmHAw7X 4. Ensure that DPOs are closely included when considering new projects or operations using personal information. You should document their advice and any changes that are made as a result. ➡️ See our Accountability Framework for guidance on how to assess your organisation’s roles and structure: https://lnkd.in/eDbTJm3m You can read the case and reprimand in full: https://lnkd.in/ezmKm4zW
I was like: yay, at last! Then I saw it was a finger-wagging letter, not actual enforcement. What’s the point of having a law if there are no consequences for violating it? What’s the point of having a regulator that doesn’t take meaningful, effective action? And what’s the ICO doing about all the other schools that are *already* unlawfully using LFR tech?!
Simon Hinks
1mo
I find this reprimand interesting on two accounts , firstly how the school chose to keep their DPO out of the setting up of LFR or taking their advice , surely someone must have raised a data protection question and secondly I was looking for the amount £ they would have been fined if it was a business doing the same. I'm an advocate of LFR but surely people must have twigged that data protection rules play a part and should be taking and looking for advice pre-install.
Tim Turner
1mo
It's not true to claim that you've "taken action". You've made some recommendations.
Mark Richards
1mo
If all the schools will receive is a reprimand, then can the Information Commissioner's Office explain why should schools bother with upfront privacy assessments? From a risk perspective, if the worst is likely a reprimand, then it appears it is much cheaper for schools to take the risks of violating kids privacy with their technology choices until caught.
And yet you do nothing against Nat West who require biometric data to allow customers to make payments to regular recipients. The actions of the Information Commissioner's Office are laughable.
This response addresses serious concerns regarding the Information Commissioner's Office (ICO) and its role in safeguarding public privacy. ICO Competency and Resource Allocation We have identified significant concerns about the ICO's case officers and case leads capacity to effectively fulfill its mandate. Specifically, there appears to be a critical shortage of competent ICO staff with necessary legal expertise and implementation of uk GDPR. This deficiency undermines the ICO's ability to provide robust oversight and enforcement of data protection regulations. This approach is insufficient to address the evolving landscape of data privacy and the increasing complexity of data protection challenges. ICO and Article 8: Right to Privacy The ICO's failure to adequately protect public privacy raises serious questions about its compliance with Article 8 of the Human Rights Act 1998/2010. The public has a fundamental right to expect that their personal data will be handled lawfully and securely. The ICO's shortcomings in this area represent a significant breach of this trust. currebtly the ICO is a facade wasting tax payers money. Conclusion The ICO's current performance is unacceptable and requires urgent attention.
Data Protection Consultant at Data Protection Education | ANME Associate Member
1moA reprimand is actually quite a big deal to a school. Reputation is everything; it results in reduced admissions and so reduced funding. I've worked with some schools this year that have had to close due to low numbers. Sadly they often don't consult their DPO because there are so many other 'more important' things on their agenda due to being overworked and under funded. The data protection lead role is often given to the person in school who is already the busiest. This kind of news, although technically more of a recommendation, does actually help improve data protection best practice in schools and will help me have better conversations with them next academic year. Anyone that works as a DPO with schools will understand the impact this will have on them.