Monday, July 06, 2020

Biometric fingerprint readers ditched for hygiene reasons... to be replaced by contactless biometric systems?

On Twitter schools have been spotted ditching biometric fingerprint readers for contactless cards due to hygiene reasons, which completely makes sense as this was one of the issues raised initially over 15 years ago when fingerprint scanners started appearing in schools.  

Though some biometric suppliers have been keen to stress that sterilising fingers before using biometric scanners is good to keep children 'safe'.

So as good as it is to see fingerprint scanners be replaced by less personally intrusive methods it does open the way for a contactless biometric system, i.e. facial recognition, to replace the touch fingerprint pad.

Which seems to be, somewhat, what has happened here at a UTC school in Leeds, UK, where Years 10 (14/15 year old) and Year 12 (17/18 years old) students have started school after having been shut since mid March 2020.  

A combined facial recognition and thermal imaging system has been installed to check student's temperature to identify each student whose temperature is taken.  However it has to be said they have ditched their fingerprint scanners for contactless cards, which was used for building entry, class registration and lunch payment.  The newly installed facial recognition has not directly replaced, on first glances, the fingerprint system but it is still registering the students with their biometric data.

We have also installed a high spec thermal camera in the reception area. This camera uses facial recognition technology to enable unobtrusive thermal imaging and temperature measurements of students and staff. An alert is issued to the Principal if someone’s temperature is above a certain level.

Every school in England and Wales that wishes to process an under 18 year old's biometric data, including facial recognition, needs explicit written parental consent to do so and it is uncertain whether this particular UTC has done that.  When questioned specifically on whether they had gained parental consent, as per the Protection of Freedoms Act 2012, the UTC replied:

Albeit it this is a reply on Twitter (which now looks to be unavailable) but it is not glaringly obvious that the school is operating this biometric system in line with UK legislation specifically aimed at schools processing children's biometric data - The Protection of Freedoms Act 2012.  

The use of facial recognition in UK schools is also questionable under GDPR, the EU General Data Protection Regulations 2018.  Schools in France have been advised not to use facial recognition and a school in Sweden was fined for using the technology.  GDPR does not change at country borders or whether we are Brexiting so the use of facial recognition technology is certainly questionable in this UK school.

There are good reasons legislations are specifically put in place to protect children biometric data being unnecessarily processed and they should be adhered to.  

Monday, March 09, 2020

Fine for processing students’ fingerprints imposed on a school

A statement, issuing a fine, to a school from Poland’s Personal Data Protection Office (UODO), the equivalent to our Information Commissioner's Office (ICO), found the school to be in breach of the General Data Protection Regulations (GDPR) for using children's fingerprint data to allow access to their canteen.  The ruling stated that:

"The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification."

" is important to stress that the processing of biometric data is not essential for achieving the goal of identifying a child’s entitlement to receive lunch. The school may carry out the identification by other means that do not interfere so much in the child’s privacy. Moreover, the school makes it possible to use the services of the school canteen not only by means of fingerprints verification, but also electronic cards, or by giving the name and contract number. Thus, in the school, there are alternative forms of identification of the child’s entitlement to receive lunch."
Here in the UK biometric fingerprint readers have been used in schools since 1999.  Up to 2012 schools were using children's fingerprints quite often without informing parents or asking their permission, as a consequence after some pressure upon the UK Government to address this, legislation was passed in 2012 requiring schools to obtain parental permission to process their child's biometric data and offer an alternative means to the biometric system. 

However, a survey done by children's data privicacy group defenddigitalme found that even after the 2012 legislation parents were still unaware of options not to use the fingerprint system.

Children's biometric data needs to be secure for the child's lifetime - decades.  It does seem excessive to use biometric data for daily mundane tasks in school, when another form of ID is perfectly acceptable - we have expressed that view since 2005.

This point was also expressed in the UODO report according to Venturebeat:

'The final decision cited numerous facets of GDPR, including recital 38, which refers to specific provisions made for data protection of children, "it should be emphasised that children require special protection of personal data, as they may be less aware of the risks, consequences, safeguards, and rights they have in connection with the processing of personal data" the report found.'

If the Polish Data Protection Office have ruled this use of children's fingerprint biometrics as a violation of GDPR then presumably the same would apply to any school using such systems in the UK.

This is absolutely a GDPR issue we will be following up here in the UK.

The English text of the UODO decision is here and the Polish version here.