Artificial Intelligence & Machine Learning , General Data Protection Regulation (GDPR) , Geo Focus: The United Kingdom
Scottish Schools' Use of Facial Recognition Violated GDPR
North Ayrshire Schools 'Immediately Ceased' Use of Facial RecognitionA Scottish school district ran afoul of British privacy law governing use of facial recognition, leading the school system to cease its use and delete pupils' stored biometric data.
See Also: Using the Netskope HIPAA Mapping Guide
The U.K. Information Commissioner's Office in a Tuesday letter to the North Ayrshire Council said facial recognition in schools isn't necessarily incompatible with the U.K. General Data Protection Regulation. Where the council fell short was in obtaining parents' and pupils' consent for the system, which local authorities did not present as being a choice.
The U.K. GDPR - which is the same as the European Union's GDPR and which the British government incorporated into national law before exiting the union - requires public authorities to obtain consent for the use of facial recognition, the U.K. office wrote.
"To fulfill this, there needs to be a genuine choice for individuals."
The school system, consisting of nine secondary schools and about 3,000 students, did seek written consent from pupils and children when it rolled out in 2021 a payment system for school lunches based on facial recognition. But the consent forms didn't present facial recognition as an option, instead portraying it as being an inevitable development - despite the school also pledging to continue to make available to students a PIN-based alternative method of authenticating their identity.
An email sent from the school system stated that "facial recognition will be used for authenticating all secondary school pupils that require access to school meals and/or snacks, including those eligible for free school meals."
That language, combined with the weight of authority carried by the North Ayrshire Council, may have compelled parents and pupils to consent, the Information Commissioner's Office concluded. It "appears unlikely that consent was freely given."
Privacy rights campaigners raised concerns, garnering the west central Lowlands council international attention. An executive with the company that installed the cameras told the Financial Times that a facial recognition-based payment system significantly sped up the lunch line.
"In a secondary school, you have around about a 25-minute period to serve potentially 1,000 pupils. So we need fast throughput at the point of sale." The average transaction time was cut to five seconds per pupil, according to David Swanston, managing director of CRB Cunninghams Education Solutions.
A spokesperson for the North Ayrshire Council told Information Security Media Group it "welcomed" the ICO's conclusions and that it "immediately ceased use of the facial recognition system and thereafter deleted all biometric data." It suspended use of the system in October 2021, tweeting at the time that it was "confident the new facial recognition system is operating as planned."