School fined over use of facial recognition

The Swedish Data Protection Authority (SDPA) has issued a fine of €20,000 under the General Data Protection Regulation 2016 (GDPR) against a local authority due to one of its schools trialling facial recognition technology in order to record class attendance. The system used cameras to recognise individuals’ faces. This amounts to biometric data which is given greater protection as a special category of personal data under the GDPR.

The trial was ran for three weeks and included 22 students at the school in Skellefteå. The local authority asserted to the SDPA that it had consent from the students involved to process their personal data in this way. Of course, explicit consent is a lawful condition under Article 9 GDPR to permit the processing of special category data. The SDPA did not accept that this was an appropriate lawful condition to use in processing the data. In its press release the SDPA noted that consent could not be used as the lawful condition due to the student’s dependence on the school board. This echoes the position here in the UK and elsewhere in Europe that consent cannot be truly valid if there is an imbalance between the parties relationship i.e. school and pupil or employer and employee.

The SDPA advised that the fine would have been more if the trial had gone on longer or exposed more students to this type of processing. In commenting particularly about the use of facial recognition technology for attendance monitoring at schools, the SDPA stated that, ‘surveillance of the students in their everyday environment, was an intrusion on their integrity and that presence control can be done in other ways that are less privacy violating than facial recognition.’

The GDPR has application across the EU and will continue to apply after the UK Brexits through the Data Protection Act 2018. This case has contextual importance as schools in England and Wales do use biometric data for cashless catering payments and other forms of identification processing. In the UK, the Protection of Freedoms Act 2012 covers the use of biometric data of children in schools and requires the notification and consent of parents, along with the consent of the child to participate. This legislation pre-dates the GDPR and the decision of the SDPA may well be used as a point of reference by the Information Commissioner’s Office when reviewing complaints or issuing compliance guidance.

As a minimum, schools must be able to demonstrate compliance with the Protection of Freedoms Act 2012 if seeking to process the biometric data of pupils and students until such time as the ICO has set out a position on the matter. Schools that can evidence compliance with the Protection of Freedoms Act 2012 should be in a better position to avoid GDPR fines in view of the primary legislation covering the processing of biometric data.

If seeking to use it for staff or others, this case gives pause for thought. The key questions needed to be asked are:

1. is it necessary to process biometric data to achieve the result of the processing? or
2. could the result of the processing be achieved in a less intrusive way?

The European Data Protection Board has published the SDPA’s decision on its website so it has been given wide coverage.

We have a wealth of experience in advising on data protection issues for clients and can assist you with any compliance, regulatory and training needs.