Artificial Intelligence & Machine Learning , General Data Protection Regulation (GDPR) , Geo Focus: The United Kingdom

Scottish Schools' Use of Facial Recognition Violated GDPR

North Ayrshire Schools 'Immediately Ceased' Use of Facial Recognition
Scottish Schools' Use of Facial Recognition Violated GDPR
Facial recognition is no longer needed to eat lunch in North Ayrshire secondary schools. (Image: Shutterstock)

A Scottish school district ran afoul of British privacy law governing use of facial recognition, leading the school system to cease its use and delete pupils' stored biometric data.

See Also: Using the Netskope HIPAA Mapping Guide

The U.K. Information Commissioner's Office in a Tuesday letter to the North Ayrshire Council said facial recognition in schools isn't necessarily incompatible with the U.K. General Data Protection Regulation. Where the council fell short was in obtaining parents' and pupils' consent for the system, which local authorities did not present as being a choice.

The U.K. GDPR - which is the same as the European Union's GDPR and which the British government incorporated into national law before exiting the union - requires public authorities to obtain consent for the use of facial recognition, the U.K. office wrote.

"To fulfill this, there needs to be a genuine choice for individuals."

The school system, consisting of nine secondary schools and about 3,000 students, did seek written consent from pupils and children when it rolled out in 2021 a payment system for school lunches based on facial recognition. But the consent forms didn't present facial recognition as an option, instead portraying it as being an inevitable development - despite the school also pledging to continue to make available to students a PIN-based alternative method of authenticating their identity.

An email sent from the school system stated that "facial recognition will be used for authenticating all secondary school pupils that require access to school meals and/or snacks, including those eligible for free school meals."

That language, combined with the weight of authority carried by the North Ayrshire Council, may have compelled parents and pupils to consent, the Information Commissioner's Office concluded. It "appears unlikely that consent was freely given."

Privacy rights campaigners raised concerns, garnering the west central Lowlands council international attention. An executive with the company that installed the cameras told the Financial Times that a facial recognition-based payment system significantly sped up the lunch line.

"In a secondary school, you have around about a 25-minute period to serve potentially 1,000 pupils. So we need fast throughput at the point of sale." The average transaction time was cut to five seconds per pupil, according to David Swanston, managing director of CRB Cunninghams Education Solutions.

A spokesperson for the North Ayrshire Council told Information Security Media Group it "welcomed" the ICO's conclusions and that it "immediately ceased use of the facial recognition system and thereafter deleted all biometric data." It suspended use of the system in October 2021, tweeting at the time that it was "confident the new facial recognition system is operating as planned."


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.