ICO (UK) - ICO - Chelmer Valley High School
| ICO - ICO - Chelmer Valley High School | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 4(11) GDPR Article 9(2)(a) GDPR Article 35 GDPR Article 35(4) GDPR Article 36 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | |
| Published: | 23.07.2024 |
| Fine: | n/a |
| Parties: | Chalmer Valley High School |
| National Case Number/Name: | ICO - Chelmer Valley High School |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | Sainey Belle |
A controller was reprimanded for failing to conduct a data privacy impact assessment in accordance with Article 35 UK GDPR before rolling out a facial recognition system in a school. The controller also failed to obtain valid consent.
English Summary
Facts
In March 2023, an educational institution for around 1,200 pupils aged 11-18 (the controller) phased out a facial technology system for the purpose of providing a cashless payment system to students. Previously, their cashless catering system was managed using fingerprint recognition.
The controller relied on consent from parents and carers of the pupils as a legal basis for processing data under Article 9(2) GDPR. The consent was collected using an opt-out mechanism.
A data privacy impact assessment (DPIA) was conducted in November 2023. The controller's Data Protection Officer confirmed that no DPIA was conducted prior to the beginning of the processing. The DPIA highlighted that the processing was considered high risk, thus requiring notification to the Information Commissioner's Office (ICO) pursuant to Article 36 GDPR. The DPO
Holding
The ICO found that the controller failed to complete a DPIA when required and did not lawfully obtain consent for its facial recognition system, infringing Article 35 UK GDPR.
Article 4(11) UK GDPR provides that in order for a consent to be considered valid, it requires an affirmative action. The ICO thus found that consent cannot be appropriately utilised using an opt-out procedure. In addition, some of the students are competent enough to provide their own consent for processing. The use of parental opt-out meant that students were deprived of their ability to exercise their rights and freedoms.
Prior to the implementation of the system, the controller failed to conduct a DPIA in accordance with Article 35 UK GDPR. Under Article 35(4) UK GDPR, the ICO published a list of processing activities that require a DPIA to be completed prior to the processing. This list included the processing of data concerning children and the use of new technologies. The controllers failure to conduct a DPIA prior to the processing meant that no assessment of risks or consideration of lawfully managing consent was made.
The ICO issued a reprimand due to the infringement of Article 35(1) UK GDPR. It set out a number of recommendations for further action, which are not legally binding but lay out “best practices” for the controller to bring processing into compliance:
- Prior to new processing or changes to the nature, scope and context or purposes of high risk processing, conduct a DPIA and implement outcomes into project plans.
- Ensure the DPIA is kept up to date to give consideration to the necessity and proportionality of a processing and mitigate any additional risks identified, in this case - bias and discrimination.
- Review and follow all ICO guidance for schools in considering whether to use facial recognition for cashless catering.
- Amend privacy notices to provide information to students in an appropriate way.
- Engage more closely and in a timely manner with the DPO when considering new projects and operations and ensure all of their advice is documented and any changes are made as a result.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 2018 AND UK GENERAL DATA
PROTECTION REGULATION
REPRIMAND
TO: Chelmer Valley High School
OF: Court Road, Broomfield, Chelmsford, Essex, SM1 7ER
1.1 The Information Commissioner (the Commissioner) issues a
reprimand to Chelmer Valley High School in accordance with Article
58(2)(b) of the UK General Data Protection Regulation (UK GDPR) in
respect of certain infringements of the UK GDPR.
The reprimand
1.2 The Commissioner has decided to issue a reprimand to Chelmer Valley
High School in respect of the following infringements of the UK GDPR:
• Article 35(1) of the UK GDPR which states a controller shall, prior to
the processing, carry out an assessment of the impact of the
envisaged processing operations on the protection of personal data,
where this processing is likely to result in a high risk to the rights
and freedoms of natural persons.
1.3 The reasons for the Commissioner’s findings are set out below.
1.4 The controller, Chelmer Valley High School, are an academy school
located in Essex providing education for around 1,200 students ages 11 to
18. This reprimand concerns the processing of biometric personal data for
the purposes of managing their cashless catering system.
1.5 Chelmer Valley High School introduced facial recognition technology in
March 2023. Prior to this, their cashless catering was managed through
fingerprint recognition technology, which had been in place since 2016.
The facial recognition technology was provided to Chelmer Valley High
School by CRB Cunninghams, which acts as a processor on behalf of
Chelmer Valley High School.
1.6 On 29 January 2024 Chelmer Valley High School’s Data Protection
Officer (DPO) ‘IGS’ contacted the Commissioner and provided a DPIA that
had been completed in November 2023. IGS considered the processing to
1be high risk, and submitted the DPIA for review. IGS confirmed that no
DPIA had been completed for the introduction of facial recognition
technology prior to the processing commencing in March 2023.
1.7 Through further correspondence with IGS it was established that
from March to November 2023 the controller had been relying on
assumed consent for facial recognition, except where parents or carers
had opted children out of the processing. Article 4(11) of the UK GDPR is
clear that consent requires an affirmative action, and as such consent on
an opt-out basis would not have been valid or lawful. Further to this, the
majority of students would have been considered sufficiently competent
to provide their own consent. The parental opt-out deprived students of
the ability to exercise their rights and freedoms in relation to the
processing between March and November 2023.
1.8 The controller also failed to seek advice from their DPO in relation to
the introduction of the facial recognition technology, nor did they consult
with parents or students before commencing with the processing. The
Commissioner believes that had Chelmer Valley High School sought
advice from their DPO, many of the compliance issues would have been
identified prior to the processing commencing.
1.9 Under Article 35(4), the Commissioner has published a list of
processing activities that require a DPIA to be completed prior to the
processing. The Commissioner’s published list states that the processing
of biometric data requires a DPIA where this is combined with any of the
criteria from the European guidelines . These guidelines include the
processing of data concerning vulnerable data subjects (such as children),
and the use of new technological solutions.
2.0 Chelmer Valley High School has therefore failed to complete a DPIA
where they were legally required to do so. This failing meant that no prior
assessment was made of the risks to data subjects, no consideration was
given to lawfully managing consent, and students at the school were then
left unable to properly exercise their rights and freedoms.
2.1 Chelmer Valley High School were invited to provide representations.
Chelmer Valley High School failed to provide any representations.
1
JUSTICE AND CONSUMERS ARTICLE 29 - Guidelines on Data Protection Impact Assessment (DPIA)
(wp248rev.01) (europa.eu)
2Remedial steps taken by Chelmer Valley High School
2.2 The Commissioner has considered and welcomes some of the
remedial steps taken by Chelmer Valley High School. In particular, the
completion of a DPIA in November 2023 and refreshing of consents by
obtaining explicit opt-in consent from students.
Decision to issue a reprimand
2.3 Taking into account all the circumstances of this case, including the
remedial steps, the Commissioner has decided to issue a reprimand to
Chelmer Valley High School in relation to the infringements of Article
35(1) of the UK GDPR set out above.
2.4 While several areas of non-compliance are apparent, the
Commissioner has decided to focus on the controller’s actions prior to the
processing. The completion of a comprehensive DPIA before the
processing commenced would have provided Chelmer Valley High School
with the opportunity to asses the risks of the processing, and avoid the
subsequent compliance failures.
Further Action Recommended
2.5 The Commissioner has set out below certain recommendations which
may assist Chelmer Valley High School in rectifying the infringements
outlined in this reprimand and ensuring Chelmer Valley High School’s
future compliance with the UK GDPR. Please note that these
recommendations do not form part of the reprimand and are not legally
binding directions. As such, any decision by Chelmer Valley High School to
follow these recommendations is voluntary for Chelmer Valley High
School. For the avoidance of doubt, Chelmer Valley High School is of
course required to comply with its obligations under the law.
2.6 If in the future the ICO has grounds to suspect that Chelmer Valley
High School is not complying with data protection law, any failure by
Chelmer Valley High School to rectify the infringements set out in this
reprimand (which could be done by following the Commissioner’s
recommendations or taking alternative appropriate steps) may be taken
into account as an aggravating factor in deciding whether to take
enforcement action - see page 11 of the Regulatory Action Policy
Regulatory Action Policy (ico.org.uk) and Article 83(2)(i) of the UK GDPR.
32.7 The Commissioner recommends that Chelmer Valley High School
should consider taking certain steps to improve its compliance with UK
GDPR. With particular reference to Article 35 of the UK GDPR, the
following steps are recommended:
1. Prior to new processing operations, or upon changes to the nature,
scope, context or purposes of processing for activities that pose a
high risk to the rights and freedoms of data subjects, complete a
DPIA and integrate outcomes back into the project plans. Types of
processing that require a DPIA to be completed can be found in our
website guidance.
2. Amend the DPIA to give thorough consideration to the necessity and
proportionality of cashless catering, and to mitigating specific,
additional risks such as bias and discrimination.
3. Review and follow all ICO guidance for schools considering whether
to use facial recognition for cashless catering. A case study on North
Ayrshire Council schools and their use of facial recognition
technology can be found on our website.
4. Amend privacy information given to students so that it provides for
their information rights under the UK GDPR in an appropriate way.
5. Engage more closely and in a timely fashion with their DPO when
considering new projects or operations processing personal data,
and document their advice and any changes to the processing that
are made as a result.
4
