Chelmer Valley High School used facial recognition tech on pupils illegally in canteen

School canteen. Chelmer Valley High School has introduced facial recognition technology without getting the right permissions from pupils and families.
Credit: PA images
In March last year, the school began using the technology to take cashless canteen payments. Credit: PA

A school has been rapped by the data protection regulator for illegally using facial recognition technology to take cashless canteen payments from pupils.

The Information Commissioner’s Office (ICO) said Chelmer Valley High School, in Chelmsford, Essex, broke the law when it “failed” to complete a data protection impact assessment (DPIA) before starting to use the technology.

The secondary school, which has around 1,200 pupils aged 11-18, had not properly obtained clear permission to process the children’s biometric data and students were unable to “exercise their rights and freedoms”.

In March last year, the school began using the technology to take cashless canteen payments, before an assessment was made of the risks to the children’s information.

The data watchdog also found that Chelmer Valley High School failed to seek opinions from its data protection officer, or consult with parents and students, before implementing the technology.

Lynne Currie, head of privacy innovation at the ICO, said: “Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself.

“We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.

“We’ve taken action against this school to show introducing measures such as FRT [facial recognition technology] should not be taken lightly, particularly when it involves children.

“We don’t want this to deter other schools from embracing new technologies. But this must be done correctly with data protection at the forefront, championing trust, protecting children’s privacy and safeguarding their rights.”

The reprimand comes after the ICO told North Ayrshire Council last year that its use of FRT to take canteen payments in nine schools was “likely” to have infringed data protection law.

Concerns were raised when FRT was introduced in North Ayrshire schools in 2021 as part of a replacement of its existing cashless catering system.

In March last year, a letter was sent to parents at Chelmer Valley with a slip for them to return if they did not want their child to participate in FRT, the ICO said.

Until November last year, the ICO warned that the school had been wrongly relying on “assumed consent” for facial recognition – except where parents or carers had opted children out of the system.

The data protection regulator also noted that most students would have been old enough to provide their own consent, so the parental opt-out deprived students of the ability to exercise their rights.

The reprimand said: “Chelmer Valley High School has therefore failed to complete a DPIA where they were legally required to do so.

“This failing meant that no prior assessment was made of the risks to data subjects, no consideration was given to lawfully managing consent, and students at the school were then left unable to properly exercise their rights and freedoms.”

The school provided a DPIA to the data watchdog in January this year, and it began obtaining explicit opt-in consent from students in November last year.

Ms Currie added: “A DPIA is required by law – it’s not a tick-box exercise.

“It’s a vital tool that protects the rights of users, provides accountability and encourages organisations to think about data protection at the start of a project.”

Chelmer Valley High School has been approached for comment.


Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know