Chelmsford school used facial recognition illegally

A school broke the law when it used facial recognition technology to take cashless payments from students, a report found.

Chelmer Valley High School, in Chelmsford, first started using the technology in its canteen in March 2023.

However, it failed to carry out any prior assessment of the risks to the children’s information, and infringed data protection law, the Information Commissioner’s Office (ICO) said.

The Essex-based secondary school, which was reprimanded by the ICO, has been contacted for comment.

The report, published on Tuesday, said the 1,200-pupil school failed to consult with parents and students fully before implementing the technology.

It said a letter was sent to parents in March 2023 with a slip for them to return if they did not want their child to participate.

But there was also no option to give consent to the scheme, meaning the school was wrongly relying on assumed approval until November 2023.

“Most students were old enough to provide their own consent,” the ICO added.

“Therefore, parental opt-out deprived students of the ability to exercise their rights and freedoms.”

The school was told it must improve how it used data protection impact assessments and was given a set of recommendations.

The report said: “The Information Commissioner (the Commissioner) issues a reprimand to Chelmer Valley High School in accordance with Article 58(2)(b) of the UK General Data Protection Regulation (UK GDPR) in respect of certain infringements of the UK GDPR.”

Lynne Currie, head of privacy innovation at the ICO, said introducing facial recognition technology was a decision that “should not be taken lightly”.

“Handling people’s information correctly in a school canteen environment is as important as the handling of the food itself,” she said.

“We expect all organisations to carry out the necessary assessments when deploying a new technology to mitigate any data protection risks and ensure their compliance with data protection laws.”