As mentioned in our article, GDPR is certainly in the spotlight. In this context, when the DfE published Protection of biometric information of children in schools and colleges in March we assumed that the DfE was taking steps to address aspects of GDPR for schools in a practical way. It was surprising that this non-statutory advice did not refer to GDPR and instead relied on The Protection of Freedom Act 2012 and the Data Protection Act 1998.
The DfE advice seeks to explain the legal duties schools and colleges have if they wish to use biometric information on students for the purposes of using automated biometric recognition systems, however this can be very confusing for schools as we race toward the finish line of GDPR compliance.
So we have reviewed the document and highlighted a few things to help get you across the line.
What does the DfE define as biometric?
In defining biometric data the DfE advice states:
Biometric data means personal information about an individual’s physical or behavioural characteristics that can be used to identify that person; this can include their fingerprints, facial shape, retina and iris patterns, and hand measurements.
This definition is GDPR compliant, in plain English which is far better than deciphering jargon such as dactyloscopic data.
Biometric technology in education
Biometric technology is all around us and an increasing number of us use fingerprint recognition constantly in our daily lives – to gain entry to locations, smartphones, and tablets; or to authorise our purchases. The technology seems complex, working like magic. However, automated biometric recognition systems function using three (3) basic steps:
- Enrolment – this is where the system records information about the student by noting the physical or behavioural trait.
- Storage – the physical or behavioural trait is reduced to a code or graph and stored within a database.
- Comparison – when the student uses the automated system, the trait they present is compared to the information stored in the database.
Managing your biometric data
From a basic understanding of how the system works, it’s easy to understand how these systems result in schools having another stream of information to process and safeguard.
A hurdle we know you will soar over is consent – if you keep these points in mind:
- Generally, students aged 13 and over who understand their own data protection rights, exercise their OWN data protection rights so you will need their consent, to legally process their data.
- In the case of such students, nothing prevents you also obtaining parental consent and it doesn’t mean you have to get rid of parent consent if you have this on record.
- In the case of students 13 and over who may not fully understand their own data protection rights consent is still required from a parent or legal guardian.
- It is important to note that biometric data is special category data, so you will need an additional lawful basis to process it – so make a note to get explicit consent.
- You will need a clear, informed and affirmative expression of consent to their biometric data being processed for this purpose.
- However, you cannot rely on the denial of a service to coax consent out of a parent or student. If they decline to consent, consider providing them with an alternative such as an access card to gain access to locations or lunch services.
For more information on how we can help your organisation, please call