In March 2023, Chelmer Valley High School introduced facial recognition technology to replace their cashless catering system. The Data Protection Officer (DPO) at the school conducted a Data Protection Impact Assessment (DPIA) in November 2023 and determined that the processing was high risk. The DPO therefore submitted the DPIA to the Information Commissioner’s Office (ICO) for consideration on 29 January 2024. The ICO conducted an investigation and issued the school with a reprimand in relation to an infringement of the below articles of the UK GDPR.
The law
Article 35(1) of the UK GDPR confirms that a controller “shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” No DPIA was carried out by the school prior to the implementation of the technology.
The ICO has published a list of processing activities that require compliance with Article 35(1) of the UK GDPR, which includes the processing of biometric data and data concerning vulnerable data subjects (including children). The school therefore should have conducted a DPIA prior to the implementation of the new software in accordance with Article 35(1) of the UK GDPR.
It was also established that from March to November 2023 the school had been relying on assumed consent with parents and carers needing to opt out of the processing.
Article 4(11) of the UK GDPR confirms that consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes…” It is not enough to assume that someone has consented simply because they have not opted out of the processing. The consent relied upon by the school between March and November 2023 was therefore insufficient.
The reprimand
The purpose of a DPIA is to assess the risks and consider the impact of the envisaged processing. The ICO issued a reprimand to the school and recommended a number of steps to be undertaken to improve its compliance with Article 35 of the UK GDPR, including:
- Carrying out a DPIA in the future when required prior to implementing any new processing operations;
- Amend the DPIA already undertaken to give thorough consideration to the necessity and proportionality of cashless catering and to mitigating specific risks;
- Consider the recent case study conducted by the ICO in relation to the use of facial recognition technology at North Ayrshire Council schools;
- Amend the privacy information given to students so that it provides for their information rights in an appropriate way; and
- Engage more closely and in a timely fashion with the DPO.
Comment
The above highlights the importance of a DPIA. Lynne Currie, the Head of Privacy Innovation at the ICO, commented as follows:
“A DPIA is required by law – it’s not a tick-box exercise. It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project.”
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us