The Information Commissioner's Office (ICO) has issued a reprimand to a school in Essex for breaching data protection laws.

The breach

The school did not complete a Data Protection Impact Assessment (DPIA) before it introduced new facial recognition technology for cashless canteen payments, which meant that there was no prior examination of the risks to the children's information.

The school had also not properly obtained consent to process the students’ biometric information. Furthermore, the students were not given the opportunity to decide whether they did or didn’t want it used in this way.

The advice

Lynne Currie, ICO Head of Privacy Innovation, said:

“We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.

Essex school reprimanded after using facial recognition technology for canteen payments | ICO

Do you need to complete a DPIA?

From an employer’s perspective, the most likely scenarios giving rise to a need to complete a DPIA include where an employer plans to introduce the use of:

• Profiling i.e. automated processing of data to analyse or to make predictions about individuals;
• Processing special category data to decide on things such as introducing a drug and alcohol testing policy within the workplace;
• Biometric data for instance fingerprint or retinal scanners to access the workplace;
• Tracking devices to record individuals’ location or behaviour, such as tachographs within company vehicles or CCTV monitors in a warehouse;
• Electronic surveillance of employee activity whilst at work (such as monitoring internet and email usage).