Data Protection Compliance in Schools: Lessons Learned from the ICO's Reprimand Issued to Chelmer Valley High School

We look here at the ICO’s reprimand and what it means for schools and academy trusts.

The Information Commissioner's Office (ICO) recently reprimanded a secondary school in Chelmsford for breaches of the UK General Data Protection Regulation (UK GDPR) after introducing facial recognition technologies in its school canteen. This comes after the ICO's 2021 case study on the use of similar technologies in North Ayrshire Council Schools. The reprimand serves as a crucial reminder that schools and trusts must thoroughly consider and comply with data protection laws, especially when implementing new technologies.

In this article, we summarise the investigation and outline the key takeaways for schools and trusts.

The ICO's investigation

The ICO's investigation centred on the school's handling of biometric data through the use of facial recognition technology for its cashless catering system. Introduced in March 2023, this technology replaced the school's existing fingerprint recognition system.

Biometric data is classed as ‘special category’ personal data under the UK GDPR and, as such, subject to additional protections on its use. However, the school failed to put those protections in place.

The ICO's investigation uncovered several significant failings in the school's data protection practices.

• Firstly, the school failed to conduct a Data Protection Impact Assessment (DPIA) before implementing the facial recognition technology. A DPIA must be undertaken where the processing to be undertaken is likely to result in a high risk to individuals, but is recommended wherever a major project is being undertaken processing personal data. The ICO concluded that the school’s failure to assess the impact beforehand was a breach of Article 35(1) of the UK GDPR.

• Secondly, the school relied on ‘assumed consent’ with an opt-out option for parents. It is not possible to ‘assume’ consent under the UK GDPR. This does not meet the UK GDPR's criteria for valid consent, as the law requires consent to be explicit. Moreover, it deprived students capable of providing their own consent of the right to do so.

• The school also failed to seek advice from their Data Protection Officer (DPO) and consult with parents or students before introducing the facial recognition system. The ICO emphasised the importance of engaging the DPO early in the decision-making process to identify and mitigate potential compliance issues.

The ICO's recommendations

To address these issues, the school has since completed a DPIA and obtained explicit opt-in consent from students for the facial recognition system. However, the ICO has made several further recommendations to enhance future compliance.

The ICO encouraged the school to:

• conduct comprehensive DPIAs before starting new processing activities, particularly those involving high risk data;

• adopt proper consent practices, ensuring that consent is explicit and affirmative and obtained directly from data subjects when appropriate, as required under Article 4(11) of the UK GDPR;

• involve their DPO in the initial stages of planning new data processing activities;

• update privacy information for students to ensure that information about their data rights is accessible and understandable;

• review and follow ICO guidance for schools (a link to the ICO's guidance for schools, universities and colleges).

Lynne Currie, ICO Head of Privacy Innovation, commented that "handling people’s information correctly in a school canteen environment is as important as the handling of the food itself". It therefore follows that schools and trusts planning to introduce measures such as facial recognition technologies should carry out the necessary assessments prior to introducing such technologies, particularly where this involves children.

Lessons to be learned - undertaking a DPIA

The ICO's reprimand underscores the importance of schools and trusts adhering to data protection laws.

Schools and trusts should update their policies to ensure DPIAs are a routine step taken before embarking on projects that are significant or that may pose a high risk to personal data. Staff should also be made aware of this requirement so that it is embedded in the school and trust practices when starting out on a new project.

A DPIA will help to identify and address the issues that led to the ICO’s reprimand,  will involve the school or trust DPO and will help ensure the following are properly considered:

• the processing activities being undertaken in the project;

• the lawful basis on which the school or trust is processing personal data;

• the additional requirements for processing special category data (where relevant);

• how consents are to be obtained to a UK GDPR standard (where relevant);

• the interests of those whose personal data is being processed by the school or trust and how these are balanced against the interests of the school or trust in processing the data; and

• the risks to personal data in the project and how those risks are mitigated.

In summary

New technologies can enhance and improve school or trust operations and can often make life easier for students, parents and staff, but the ICO’s reprimand underlines that schools and trusts must properly address the data protection implications of such technologies before implementing them.

For more information, you can review the full details of the ICO's reprimand.

Schools and trusts considering the use of facial recognition for cashless catering can also review the ICO's case study on North Ayrshire Council schools and their use of facial recognition technology.

Finally, the ICO has produced a sample DPIA template which schools and trusts might find a helpful starting point when preparing their DPIA.