Organisations must have a data protection impact assessment (DPIA) in place to use FRT legally. The process identifies and manages the risks that arise from processing sensitive data, such as the student’s biometric information.
The Information Commissioner’s Office (ICO) has found that Chelmer Valley High School in Chelmsford broke the law after it failed to complete the assessment, before rolling out the FRT in its canteen in March 2023.
According to the regulator, the school had not properly obtained clear permission to process sensitive data and students weren’t given the opportunity to decide whether they wanted it used in this way.
The ICO head of privacy innovation, Lynne Currie said that action against the school shows that the use of FRT should not be taken lightly, particularly when it involves children.
Consent
The Chelmer Valley High School has around 1,200 pupils aged 11-18. In March last year it sent letters to parents, asking them to confirm their child’s participation in the FRT.The ICO said that “affirmative ‘opt-in’ consent wasn’t sought at this time” and the school wrongly relied on assumed consent until November 2023.
Under the Data Protection Act 2018, failure to opt out is not consent as it does not involve a clear affirmative act.
“A DPIA is required by law—it’s not a tick-box exercise. It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project,” said Ms. Currie.
Failure to carry out a DPIA can lead to enforcement action and fines up to £8.7 million.
Before the school implemented the FRT, it failed to consult with its data protection officer, parents and students.
The regulator also noted that some of the students were old enough to provide their own consent and were deprived of this when parents were offered an opt-out.
The Chelmer Valley High School has accepted the ICO’s recommendations. A spokesperson said that the school took action last year to ensure proper consent is gained when students use the cashless canteen.
“This includes having the choice to opt in or out as desired,” the spokesperson added.
The ICO said that it doesn’t want to deter other schools from embracing new technologies, but added that the process must be carried out correctly.
Concerns about FRT use in NAC schools emerged in October 2021. The ICO found that it was unlikely that the council had met the requirements for valid consent.
The reprimand comes after the ICO told NAC last year that its use of FRT to take canteen payments in nine schools was “likely” to have infringed data protection law.
The local authority was told to explain in age-appropriate language how children’s data will be collected, used, stored and retained.
The company that installed the systems at NAC schools, CRB Cunninghams, said that FRT could reduce the time of transaction in school canteens to five seconds per pupil.