The Department for Education (DfE) has issued updated advice for schools on the use of pupils’ biometric information. This advice replaces “Protection of biometric information of children in schools”, which was issued in December 2012. It is a useful reminder of the additional duties placed on all schools processing biometric information to recognise or identify a pupil, e.g. by the use of fingerprint, retina/iris and palm recognition technology.
The updated DfE guidance can be found here.
What is new?
The updated guidance no longer includes FAQs and extends its reach to cover further education institutions. A new paragraph confirms that the GDPR will have an impact on how pupils’ biometric data should be processed.
All other content in the guidance remains the same. The useful sample ‘Notification and Consent’ form for the use of pupils’ biometric information can still be found at the end of the guidance.
What has not changed?
The duties on schools when processing biometric data for identification purposes have not changed. The guidance makes it clear that each parent of a child must be notified of the school’s intention to use the child’s biometric data as part of an automated recognition system. A child is considered to be anyone under the age of 18 and, as long as neither the child nor a parent objects, the written consent of one parent is required before a school can collect the child’s biometric information. The sample template in the guidance can be used to do this.
If a school does not notify or obtain a parent’s consent, it does not necessarily mean that a school cannot process a child’s biometric information; a school may still be able to process this information by contacting and receiving the consent of one parent. This applies where the other parent:
- cannot be found
- lacks the mental capacity to consent (or object)
- should not be contacted to ensure the welfare of the child
or where it is not otherwise reasonably practical.
If neither of the parents can be notified, again, this does not necessarily stop a school processing the child’s biometric information. Instead, a local authority or voluntary organisation can be notified and give their consent for a child being ‘looked after’ by a local authority or accommodated or maintained by a voluntary organisation.
Where this does not apply, as the pupil is not ‘looked after’, a school can contact all those caring for the child and consent from one carer is enough to allow a school to process the child’s biometric information. However, if another carer or the child objects, a school cannot process this data even if one or more carers have given their consent.
A complete admissions register is crucial to a school being able to contact both parents, but the DfE recognises that schools’ admission registers will not always include details of both parents. Thankfully, the guidance remains clear that schools are not expected to engage the services of detective agencies or ‘people tracers’. A school that carries out reasonable checks with the parent that is listed on the register and other authorities, organisations and agencies involved with the child and its family, will suffice. The guidance continues to suggest a possible option to schools to notify parents of their intention to take and use their child’s biometric information and seek their consent as part of the enrolment process.
Finally, a school must provide reasonable alternative means of accessing services for those pupils who will not be using the automated biometric recognition system. This will cover situations where a pupil or parent has objected to participate or no parent (or, where applicable, local authority or voluntary organisation) has given their written consent. These pupils should not suffer any disadvantage or difficulty in accessing the same services because they are not participating in the automated biometric recognition system. In the same vein, parents of children not participating should not experience additional burden.
How will GDPR affect the use of pupils’ biometric information?
The updated guidance includes a new paragraph, at page nine, which confirms that new data protection legislation will have an impact on how pupils’ biometric data should be processed. What this impact will be is not clarified in the guidance. Instead, the DfE ‘strongly’ recommends that schools seek independent legal advice to ensure they are compliant with changes to data protection law.
The Data Protection Bill and GDPR, both of which came into force on 25 May, do not appear to affect the additional duties on schools regarding notifying parents and obtaining consent detailed in the guidance (and above).
What is impacted, however, are the general data protection duties that schools will be subject to when processing this kind of sensitive information. Under GDPR, for the first time, biometric data is considered a type of ‘special category data’ that needs more protection. To lawfully process this special category data, schools will need a lawful basis to process it. There are ten conditions for processing special category data and it is likely that schools will want to rely on consent, but this will need to be considered carefully to ensure that this is obtained, processed and stored in a GDPR-compliant manner.
The GDPR also requires a data protection impact assessment (DPIA) to be carried out before you begin any type of processing which is ‘likely to result in a high risk’ to individuals. The ICO has published a draft list of types of processing it considers likely to be high risk and so require a DPIA. This list includes processing of biometric data.