☝️ Guidance on Biometric Data for MATs and Schools

This guidance is relevant for leaders within educational institutions, as it outlines the legal and ethical responsibilities involved, helps you navigate compliance with data protection laws, and provides best practices for implementing biometric technologies in a way that safeguards students and staff members personal information.

What is Biometric Data?

Biometric data is a type of personal information. Article 4(14) of the UK GDPR defines biometric data as: “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm someone’s unique identification of that natural person, such as facial images or fingerprint data.”

This means that personal information is only biometric data if it:

·         relates to someone’s physical, physiological, or behavioural characteristics (e.g. the way someone types, a person’s voice, fingerprints, or face);

·         has been processed using specific technologies (e.g. an audio recording of someone talking is analysed with specific software to detect qualities like tone, pitch, accents, and inflections); and

·         can uniquely identify (recognise) the person it relates to.

Who Can Consent to Biometric Data

Consent for biometric data needs to be treated differently than other consents and has specific, stringent criteria.

The Data Protection Act gives pupils rights over their own data when they are considered to have adequate capacity to understand. Most pupils will reach this level of understanding at around age 13.

However, the Protection of Freedoms Act 2012, which governs the use of biometric data in schools in the UK, has different requirements. Under this Act, the consent of at least one parent is required to process the biometric data of a child under 18. If the child or any parent objects, the school cannot process the child’s biometric data.

Schools must notify each parent of a pupil or student under the age of 18 if they wish to take and subsequently use the child’s biometric data as part of an automated biometric recognition system.

As long as the child or a parent does not object, the written consent of only one parent will be required for a school or college to process the child’s biometric information. A child does not have to object in writing but a parent’s objection must be written.

Third Party Contractors

·         Third-party contractors often play a role in managing biometric data within schools and MATs, providing systems and software to capture and process this sensitive information.

·         Schools must ensure that these contractors comply with data protection laws, such as the Data Protection Act 2018 and UK GDPR. Responsibilities include conducting thorough due diligence on vendors, ensuring robust data processing agreements are in place, and maintaining oversight of how biometric data is managed. Due diligence, or compliance checks, should be conducted with the assistance of your Data Protection Officer.

·         Schools must also ensure that third-party contractors implement adequate security measures, such as storing data securely, preventing unauthorised access, and using DPIAs to assess and mitigate risks.

·         Regular audits and reviews of third-party compliance with data protection standards are crucial to safeguarding students’ biometric data.

·         It is also possible that you will have third-party contractors using a biometric system such as catering staff employed by a third-party catering company. Ensure that they have also had full training on the system and understand the key processes regarding biometric data and consent. They should also receive regular, up-to-date data protection training. Training is particularly important when new systems or changes to biometric technology are introduced.

Guidance from the ICO

·         The Information Commissioner’s Office provides guidance on the use of biometric data, emphasising the need for transparency, accountability, and compliance with legal obligations.

·         In order to meet the requirement for transparency, this will mean providing data subjects with detailed privacy notices and maybe holding information sessions with parents and students explaining how the biometric data will be collected, stored, and used.

·         Key recommendations include conducting a Data Protection Impact Assessment (DPIA) to identify and mitigate risks associated with biometric data processing. Article 35 of the UK GDPR mandates DPIAs for high-risk processing activities, helping schools to manage risks to individuals’ rights and freedoms.

·         Additional ICO guidance highlights the need for explicit consent, ensuring that all students and parents, are fully informed and their rights are respected.

What does this mean for MATs and Schools?

The decision to implement automated biometric technology is the decision of MATs and schools. However, careful consideration should be taken to assess the purpose of its use, the necessity and proportionality of processing, and consider the potential implications, such as operational requirements, handling of personal information, possible data breaches, and legal obligations.

It is also important for schools to reflect on the ethical considerations around the use of biometric data, including privacy concerns and the potential for future misuse of such data, even when collected in a lawful manner. Schools should consider whether biometric data is truly necessary and proportional for the task at hand.

Here are some key actions for schools considering or already using biometric data:

1.       Conduct a Data Protection Impact Assessment (DPIA):
Before implementing any biometric system, schools should carry out a DPIA to assess risks and determine whether biometric data processing is necessary and proportionate. This should be reviewed regularly to account for any changes in technology or usage.

2.       Obtain Proper Consent:
Ensure written parental consent is obtained in compliance with the Protection of Freedoms Act 2012. Schools should also have a clear, documented process for managing consent withdrawals or objections from either the student or their parents.

3.       Be Transparent with Parents and Students:
Provide clear, accessible information explaining how biometric data will be used, stored, and protected. Schools should offer regular opportunities for parents and students to ask questions or raise concerns.

4.       Implement Robust Security Measures:
Ensure that any biometric data collected is stored securely, with encryption and access controls in place to prevent unauthorised access. Schools should also regularly review their security practices to ensure they remain adequate in light of evolving risks.

5.       Choose Vendors Carefully:
When selecting a third-party contractor, schools must perform due diligence to ensure that the vendor complies with UK GDPR and has strong data protection measures in place. A contract should clearly outline data protection responsibilities and require the vendor to carry out DPIAs.

6.       Regularly Audit Data Practices:
Conduct regular audits of how biometric data is processed, ensuring that all practices remain compliant with relevant legislation. This includes reviewing how data is stored, who has access to it, and how consent is managed.

7.       Prepare for Data Breaches:
Develop a clear plan for managing data breaches involving biometric data, including informing affected students, parents, and the ICO if necessary. Ensure that all staff members are aware of the procedure for reporting a breach.

By incorporating these steps, schools can ensure they not only comply with legal requirements but also protect the privacy and rights of their students. For more detailed information, including lawful basis considerations and best practices, please read the full guidance provided by the ICO.