School gets an F for using facial recognition on kids in canteen
- Reference: 1721809929
- News link: https://www.theregister.co.uk/2024/07/24/essex_school_facial_recognition/
- Source link:
A statement from the Information Commissioner's Office (ICO) said Chelmer Valley High School in Chelmsford broke the law when it introduced facial recognition technology (FRT) to take cashless canteen payments from students in March 2023.
By processing biometric data to uniquely identify people, FRT can result in high data protection risks, the regulator said.
[1]
It reprimanded the school, which caters for around 1,200 pupils aged 11 to 18, for failing to carry out a Data Protection Impact Assessment (DPIA) before starting to use the FRT, as required by UK data protection law, formally [2]UK GDPR after Brexit, which sits alongside the 2018 Data Protection Act.
[3]
[4]
At the same time, the school failed to carry out an assessment of the risks to the children's information before it introduced FRT, as the law requires. The regulator also said the school had not properly obtained clear permission to process students' biometric information and the students were not given the opportunity to decide whether they wanted it used in this way.
Lynne Currie, ICO Head of Privacy Innovation, said: "Handling people's information correctly in a school canteen environment is as important as the handling of the food itself. We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.
[5]
"We've taken action against this school to show introducing measures such as FRT should not be taken lightly, particularly when it involves children. We don't want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children's privacy and safeguarding their rights."
The school did not get the views of its data protection officer, nor did it consult parents and students before rolling out FRT, the ICO said.
The Register has contacted the school for a response.
[6]
According to the ICO, the school did send a letter to parents in March 2023. It contained a slip for them to return if they did not want their child to participate in the FRT. In doing so, the school failed to seek "opt-in" consent, which meant the school wrongly relied on "assumed consent" at first, which is not a valid form of consent and requires explicit permission in the eyes of the law.
The ICO said it had provided Chelmer Valley High School with recommendations for the future.
[7]Clearview AI reaches 'creative' settlement with privacy suit plaintiffs: A conditional IOU
[8]Can I phone a friend? How cops circumvent face recognition bans
[9]Microsoft doesn't want cops using Azure AI for facial recognition
[10]Data watchdog tells off outsourcing giant for scanning staff biometrics despite 'power imbalance'
The case follows incidents from 2021 that attracted attention as FRT was being employed in more UK schools to allow pupils to pay for their meals.
At the time, under [11]North Ayrshire Council, a Scottish authority encompassing the Isle of Arran, nine schools were preparing to begin processing meal payments for school lunches using facial scanning technology .
Shortly afterwards, the [12]ICO asked for the plans to be put on hold until it had the chance to find out more.
Jen Persson, director at campaign group digitaldefendme, said schools have again demonstrated they have not had the training or capacity to procure technology that respects the law or children's rights.
"Facial recognition should have no place in schools," she told us today. "Children in the UK are exposed to high-risk AI, biometric, and emerging tools in ways that are unthinkable elsewhere and the education sector must get urgent resources and support to get a grip on how this kind of practice can compromise pupils' identity for life."
She said the ICO's enforcement was vital but encouraged the regulator to go further and identify the manufacturer and country of origin behind each case it intervenes in. ®
Get our [13]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZqDQuAAb60NhoTjbYU3EEAAAANQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqDQuAAb60NhoTjbYU3EEAAAANQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqDQuAAb60NhoTjbYU3EEAAAANQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqDQuAAb60NhoTjbYU3EEAAAANQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqDQuAAb60NhoTjbYU3EEAAAANQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/06/14/clearview_ai_reaches_creative_settlement/
[8] https://www.theregister.com/2024/05/20/cops_circumvent_facial_recognition/
[9] https://www.theregister.com/2024/05/04/microsoft_cloud_facial_recog/
[10] https://www.theregister.com/2024/02/26/uk_data_protection_watchdog_halts/
[11] https://www.theregister.com/2021/10/18/give_us_your_biometric_data/
[12] https://www.theregister.com/2021/10/26/uk_schools_canteen_facial_recog/
[13] https://whitepapers.theregister.com/
Why would anything get better?
Nothing will get "better". Exposing others to (unacceptable) risks is (unfortunately) not a crime. These cases arise from short-term and egoistic thinking. Long term consequences are not considered because any potential problems are far-far-far away and especially not our problem. Any possible problems are not affecting the deciders and implementers and are therefore not a negative or red flag. (sigh)
An alternative would be to provide a well-publicised independent facility where a named person from an organisation that is contemplating a scheme such as this could phone up and run it past an advisor. Some here in education may remember an organisation I could be talking about. It wasn't perfect but was better than nothing.
And the advisor would take a deep breath and then explain why such a thing was a Very Bad Idea.
One of the orgs contacted by the Register's reporter did suggest that naming the manufacturer and supplier of the equipment would be a good idea and I think I agree.
Prison/convictions etc are not the answer to everything. But neither is reckless application of an IT system because it exists TBF.
"FRT can result in high data protection risks"
Somebody tell that to the police. They're trying to get it everywhere.
The briefest of research (google), would have shown the school failed on the most basic data protection requirements.
Additionally I would argue that consent in these circumstances can not be freely given.
"......schools have again demonstrated they have not had the training or capacity to procure technology that respects the law or children's rights."
No one went to prison. No one was fined. No one lost their job. No one has a black mark on their record that might impact their career. No penalties whatsoever except a "reprimand". Why would anything get better?
People's privacy will be compromised again and again until the leaders of organizations who ignore the law are punished in a way that sets an example to others.