A statement, issuing a fine, to a school from Poland’s Personal Data Protection Office (UODO), the equivalent to our Information Commissioner's Office (ICO), found the school to be in breach of the General Data Protection Regulations (GDPR) for using children's fingerprint data to allow access to their canteen. The ruling stated that:
"The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification."
"...it is important to stress that the processing of biometric data is not essential for achieving the goal of identifying a child’s entitlement to receive lunch. The school may carry out the identification by other means that do not interfere so much in the child’s privacy. Moreover, the school makes it possible to use the services of the school canteen not only by means of fingerprints verification, but also electronic cards, or by giving the name and contract number. Thus, in the school, there are alternative forms of identification of the child’s entitlement to receive lunch."Here in the UK biometric fingerprint readers have been used in schools since 1999. Up to 2012 schools were using children's fingerprints quite often without informing parents or asking their permission, as a consequence after some pressure upon the UK Government to address this, legislation was passed in 2012 requiring schools to obtain parental permission to process their child's biometric data and offer an alternative means to the biometric system.
However, a survey done by children's data privicacy group defenddigitalme found that even after the 2012 legislation parents were still unaware of options not to use the fingerprint system.
Children's biometric data needs to be secure for the child's lifetime - decades. It does seem excessive to use biometric data for daily mundane tasks in school, when another form of ID is perfectly acceptable - we have expressed that view since 2005.
This point was also expressed in the UODO report according to Venturebeat:
'The final decision cited numerous facets of GDPR, including recital 38, which refers to specific provisions made for data protection of children, "it should be emphasised that children require special protection of personal data, as they may be less aware of the risks, consequences, safeguards, and rights they have in connection with the processing of personal data" the report found.'
If the Polish Data Protection Office have ruled this use of children's fingerprint biometrics as a violation of GDPR then presumably the same would apply to any school using such systems in the UK.
This is absolutely a GDPR issue we will be following up here in the UK.
The English text of the UODO decision is here and the Polish version here.