Biometric Data Policy

This policy is presented in HTML to support accessibility needs and to work across multiple platforms. A full PDF copy is also available below.

Contents

1.    Introduction

  • Schools and colleges that use students’ biometric data (see 1 below) must treat the data collected with appropriate care and must comply with the data protection principles as set out in the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018 (DPA).

 

  • Where the data is to be used as part of an automated biometric recognition system (see 2 below), schools and colleges must also comply with the additional requirements in sections 26 to 28 of the Protection of Freedoms Act 2012. Kingsmead School must ensure that each parent/carer of a child is notified of the Kingsmead School’s intention to use the child’s biometric data (see 1 below) as part of an automated biometric recognition system.

 

  • Kingsmead School must ensure that each parent/carer of a child is notified of the Kingsmead School’s intention to use the child’s biometric data (see 1 below) as part of an automated biometric recognition system.

 

  • The written consent of at least one parent/carer must be obtained before the data is taken from the child and used (i.e. ‘processed’ – see 3 below). This applies to all students in schools and colleges under the age of 18. In no circumstances can a child’s biometric data be processed without written consent.

 

  • Kingsmead School must not process the biometric data of a student (under 18 years of age) where:
  1. The child (whether verbally or non-verbally) objects or refuses to participate in the processing of their biometric data;
  2. No parent/carer has consented in writing to the processing; or
  3. A parent/carer has objected in writing to such processing, even if another parent/carer has given written consent.

 

  • Kingsmead School must provide reasonable alternative means of accessing services for those students who will not be using an automated biometric recognition system.

 

2.    What is biometric data?

  • Biometric data means personal information about an individual’s physical or behavioural characteristics that can be used to identify that person; this can include their fingerprints, facial shape, retina and iris patterns, and hand measurements.

 

  • Biometric data is classified as Special Category data under the GDPR and DPA. A lawful basis for processing under Article 9 of GDPR must be identified by the school. For the purposes of this document, the lawful basis is Article 9(2)(a) Consent.

 

  • Biometric data must be obtained, used and stored in accordance with the GDPR and DPA.

 

  • In line with GDPR requirements, a Privacy Impact Assessment must be carried out before the biometric data system is implemented, assessing any risks to data subjects and the measures the school will take to minimise the risks.

 

  • The Protection of Freedoms Act 2012 includes provisions which relate to the use of biometric data in schools and colleges when used as part of an automated biometric recognition system. These provisions are in addition to the requirements of the Data Protection Act 1998 and 2018.

 

 

3.    What is an automated biometric recognition system?

  • An automated biometric recognition system uses technology which measures an individual’s physical or behavioural characteristics by using equipment that operates ‘automatically’ (i.e. electronically). Information from the individual is automatically compared with biometric information stored in the system to see if there is a match in order to recognise or identify the individual.

 

  • Biometric recognition systems can use many kinds of physical or behavioural characteristics such as those listed in 1) above.

 

4.    What does data processing mean?

  • ‘Processing’ of biometric information includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including (but not limited to) disclosing it, deleting it, organising it or altering it. An automated biometric recognition system processes data when:
  1. Recording students’ biometric data, for example, taking measurements from a fingerprint via a fingerprint scanner;
  2. Storing students’ biometric information on a database system; or
  3. Using that data as part of an electronic process, for example, by comparing it with biometric information stored on a database in order to identify or recognise students.

 

5.    Biometric data use at Kingsmead School

  • The school uses and stores fingerprints for the use of a cashless catering system within the canteen.

 

  • The school stores the biometric data on a secure on-premises server with limited access.

 

  • A letter is sent to all parent/carer/carers to seek permission to use the biometric data. A copy of this letter can be requested by emailing finance@kingsmead-school.com

 

 

6.    Frequently asked questions

  • What information should schools provide to parents/pupils to help them decide whether to object or for parents to give their consent?

Any objection or consent by a parent must be an informed decision – as should any objection on the part of a child. Kingsmead School will take steps to ensure parent/carers receive full information about the processing of their child’s biometric data including a description of the kind of system they plan to use, the nature of the data they process, the purpose of the processing and how the data will be obtained and used. Children should be provided with information in a manner that is appropriate to their age and understanding.

 

  • What if one parent/carer disagrees with the other?

Schools will be required to notify each parent/carer of a child whose biometric information they wish to collect/use. If one parent/carer objects in writing, then the school will not be permitted to take or use that child’s biometric data.

 

  • How will the child’s right to object work in practice – must they do so in writing?

A child is not required to object in writing. An older child may be more able to say that they object to the processing of their biometric data. A younger child may show reluctance to take part in the physical process of giving the data in other ways. In either case the school or college will not be permitted to collect or process the data.

 

  • Are schools required to ask/tell parent/carers before introducing an automated biometric recognition system?

Schools are not required by law to consult parent/carers before installing an automated biometric recognition system. However, they are required to notify parent/carers and secure consent from at least one parent/carer before biometric data is obtained or used for the purposes of such a system. It is up to schools to consider whether it is appropriate to consult parents/carers and students in advance of introducing such a system.

 

  • Do schools need to renew consent every year?

No. The original written consent is valid until such time as it is withdrawn. However, it can be overridden, at any time if another parent/carer or the child objects to the processing (subject to the parent/carer’s objection being in writing). When the student leaves the school, their biometric data should be securely removed from the school’s biometric recognition system.

 

  • Do schools need to notify and obtain consent when the school introduces an additional, different type of automated biometric recognition system?

Yes, consent must be informed consent. If, for example, a school has obtained consent for a fingerprint/fingertip system for catering services and then later introduces a system for accessing library services using iris or retina scanning, then schools will have to meet the notification and consent requirements for the new system.

 

  • Can consent be withdrawn by a parent/carer?

Parent/carers will be able to withdraw their consent, in writing, at any time. In addition, either parent/carer will be able to object to the processing at any time, but they must do so in writing.

 

  • When and how can a child object?

A child can object to the processing of their biometric data or refuse to take part at any stage – i.e. before the processing takes place or at any point after his or her biometric data has been obtained and is being used as part of a biometric recognition system. If a pupil objects, the school or college must not start to process his or her biometric data or, if they are already doing this, must stop. The child does not have to object in writing.

 

 

  • Will consent given on entry to primary or secondary school be valid until the child leaves that school?

Yes. Consent will be valid until the child leaves the school – subject to any subsequent objection to the processing of the biometric data by the child or a written objection from a parent/carer. If any such objection is made, the biometric data should not be processed and the school or college must, in accordance with the Data Protection Act, remove it from the school’s system by secure deletion.

 

  • Can the school notify parent/carers and accept consent via email?

Yes – as long as the school is satisfied that the email contact details are accurate and the consent received is genuine.

 

  • Will parent/carers be asked for retrospective consent?

No. Any processing that took place prior to the provisions in the Protection of Freedoms Act coming into force is not affected. After 1 September 2013 (when the new duties in the Act took effect), any school or college wishing to continue to process biometric data from that date must have already sent the necessary notifications to each parent of a child and obtained the written consent from at least one of them before continuing to use their child’s biometric data.

 

  • Does the legislation cover other technologies such a palm and iris scanning?

Yes. The legislation covers all systems that record or use physical or behavioural characteristics for the purpose of identification. This includes systems which use palm, iris or face recognition, as well as fingerprints.

 

  • Is parental/carer notification and consent required under the Protection of Freedoms Act 2012 for the use of photographs and CCTV in schools?

No – not unless the use of photographs and CCTV is for the purposes of an automated biometric recognition system. However, schools must continue to comply with the requirements in the Data Protection Act 2018 when using CCTV for general security purposes or when using photographs of pupils as part of a manual ID system or an automated system that uses barcodes to provide services to pupils. Depending on the activity concerned, consent may be required under the DPA before personal data is processed. The Government believes that the DPA requirements are sufficient to regulate the use of CCTV and photographs for purposes other than automated biometric recognition systems.

 

Photo ID card systems where a student’s photo is scanned automatically to provide him or her with services would come within the obligations on schools and colleges under sections 26 to 28 of the Protection of Freedoms Act 2012 as such systems fall within the definition in that Act of automated biometric recognition systems

 

  • Is parental notification or consent required if a pupil uses or accesses standard commercial sites or software which use face recognition technology?

The provisions in the Protection of Freedoms Act 2012 only cover processing by or on behalf of a school. If a school wishes to use such software for school work or any school business, then the requirement to notify parents and to obtain written consent will apply. However, if a student is using this software for their own personal purposes then the provisions do not apply, even if the software is accessed using school equipment.

 

 

7.    Associated Resources

  • DfE guidelines for Protection of Biometric Information of Children in Schools

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/692116/Protection_of_Biometric_Information.pdf

 

  • DfE guidelines for schools on communicating with parents and obtaining consent:

https://www.gov.uk/government/publications/dealing-with-issues-relating-to-parental-responsibility

 

  • British Standards Institute guide to biometrics:

http://shop.bsigroup.com/en/Browse-by-Subject/Biometrics/?t=r

 

 

 

8.    Equality Impact Assessment

  • We have a duty to consider the impact of changes on groups with Protected Characteristics (race, disability, age, sex, sexual orientation, religion or belief, gender reassignment, pregnancy and maternity, marriage and civil partnership). An EIA needs to consider:
  1. Would the change impact differentially on pupils/ staff with protected characteristics? Positively or negatively?
  2. How do I know that?
  3. What could I do to mitigate any differential or negative impact?
  4. Is this still the right thing to do?

 

  • What are the overall aims of the change? Why is the school proposing it?
  • The aim of this policy is to provide a framework to ensure that the policy has the procedures and guidelines in place to ensure that all stakeholders are fully supported and that no individual is at risk of harm.

 

  • Given the aims of the proposal, what issues does the data/information highlight?
  • We believe that it is in line with the Equality Act 2010 as it is fair, it does not prioritise or disadvantage any pupil and it helps to promote equality at this school. For example, the use of fingerprint technology for cashless catering means that children who may be at risk of economic disparity due to their race (as highlighted in the Race Disparity Audit) are not identified by peers as in receipt of Free School Meals. Children whose gender may not be the same as their sex recorded at birth will be able to have a school meals system that reflects their gender reassignment or preferred name.

 

  • How could the proposed change impact positively/negatively on groups with protected characteristics?
  • This has a positive impact on all groups with protected characteristics as they are ensured equal treatment and provision based on their needs. Risk assessments may be carried out to ensure that this is the case and provisions maybe altered to accommodate specific needs. Reasonable alternative systems are in place where individuals do not wish their biometric data to be processed.

 

  • What actions will we take to mitigate any negative impact?

We believe that there is no negative impact to having this policy.

 

  • Is any potential negative impact justified in the light of the wider benefits of the proposal?

We believe that there is no negative impact to having this policy.

 

  • Recording of final decision

This policy will go to governors for approval.

Search

KINGSMEAD NEWSLETTER – ISSUE 04 (MARCH 2024)
The second issue of the Kingsmead Newsletter is now available. A packed edition with staff and student news, fundraising, events and sporting successes. All in an easy-to-read flip book, no need to download!

Skip to content