A school has been rapped by the information watchdog after it illegally used facial recognition on its pupils, prompting a call for leaders to safeguard children’s rights when implementing new technology. The Information Commissioner鈥檚 Office has to Chelmer Valley High School in Essex following 鈥渋nfringements鈥 of the UK鈥檚 general data protection regulations (GDPR) relating to the processing of biometric data. The school failed to assess the impact of technology introduced to manage its cashless catering system before it was introduced, and did not get explicit consent from its pupils, the ICO ruled. Lynne Currie, ICO head of privacy innovation, said: 鈥淗andling people鈥檚 information correctly in a school canteen environment is as important as the handling of the food itself. 鈥淲e expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.鈥 She said introducing measures such as facial recognition technology 鈥渟hould not be taken lightly, particularly when it involves children鈥. 鈥淲e don鈥檛 want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children鈥檚 privacy and safeguarding their rights.鈥 ‘Facial recognition has no place in schools’ But Jen Persson, director of data rights campaign organisation Defend Digital Me, said facial recognition 鈥渉as no place in schools鈥. 鈥淚t鈥檚 high-tech with associated risks for life, and it鈥檚 not right to be using it to buy a lunch.鈥 Jen Persson When introducing new ways of processing personal data that are deemed a 鈥渉igh risk鈥 to rights and freedoms, GDPR聽rules state that data controllers, in this case the school, have to assess the impact it will have on the protection of personal data. They also have to get consent from those whose data is being used. The 1,200-pupil academy in Chelmsford introduced facial recognition technology in March 2023. It replaced fingerprint recognition technology used since 2016 to manage catering payments. The facial recognition technology was provided by a firm called CRB Cunninghams. The school鈥檚 data protection officer contacted the ICO in January this year and provided a data protection impact assessment completed last November. They 鈥渃onsidered the processing to be high risk, and submitted the DPIA for review鈥. But they also confirmed 鈥渢hat no DPIA had been completed for the introduction of facial recognition technology prior to the processing commencing in March 2023鈥. School had relied on assumed consent Through further correspondence, the ICO 鈥渆stablished that from March to November 2023 the controller had been relying on assumed consent for facial recognition, except where parents or carers had opted children out of the processing鈥. GDPR rules are 鈥渃lear that consent requires an affirmative action, and as such consent on an opt-out basis would not have been valid or lawful鈥. 鈥淔urther to this, the majority of students would have been considered sufficiently competent to provide their own consent. The parental opt-out deprived students of the ability to exercise their rights and freedoms in relation to the processing between March and November 2023.鈥 The school also 鈥渇ailed to seek advice from their DPO in relation to the introduction of the facial recognition technology, nor did they consult with parents or students before commencing with the processing鈥. The ICO 鈥渂elieves that had Chelmer Valley High School sought advice from their DPO, many of the compliance issues would have been identified prior to the processing commencing鈥. 鈥淐helmer Valley High School has therefore failed to complete a DPIA where they were legally required to do so. 鈥淭his failing meant that no prior assessment was made of the risks to data subjects, no consideration was given to lawfully managing consent, and students at the school were then left unable to properly exercise their rights and freedoms.鈥 ‘Engage more closely’ on data protection The school has since 鈥渞efreshed鈥 consents by obtaining 鈥渆xplicit opt-in consent from students鈥. The ICO made a series of recommendations, but the school is not under a legal obligation to follow them. They told the school to amend its impact assessment to 鈥済ive thorough consideration to the necessity and proportionality of cashless catering, and to mitigating specific, additional risks such as bias and discrimination鈥. The school should also 鈥渞eview and follow all ICO guidance for schools considering whether to use facial recognition for cashless catering鈥. And it should 鈥渆ngage more closely and in a timely fashion with their data protection officer when considering new projects or operations processing personal data, and document their advice and any changes to the processing that are made as a result鈥. Schools lack training and capacity The use or proposed use of facial recognition technology in schools has prompted widespread criticism in the past. In 2021, Schools Week reported how at least two schools in England were reversing their plans to install facial recognition systems in their canteens after a Scottish council faced widespread criticism for its use of the technology. North Ayrshire Council subsequently put its use of the software on hold. Persson added that policymakers 鈥渘eed to stop passing the buck here鈥. 鈥淪chools do not have the training or capacity to procure technology in ways that respects the law or children鈥檚 rights. 鈥淲e need a national office for oversight, quality controls on procurement access to children via the public sector, and to get a grip on what this costs the state now and for our future society.鈥 The school was approached for comment.