What legislation does this advice relate to?
- The Protection of Freedoms Act 2012
- The Data Protection Act 1998
- Schools and colleges that use pupils’ biometric data (see 1 below) must treat the data collected with appropriate care and must comply with the data protection principles as set out in the Data Protection Act 1998.
- Where the data are to be used as part of an automated biometric recognition system (see 2 below), schools and colleges must also comply with the additional requirements in sections 26 to 28 of the Protection of Freedoms Act 2012 (see Protection of Freedoms Act 2012 below).
- Schools and colleges must ensure that each parent of a child is notified of the school’s intention to use the child’s biometric data (see 1 below) as part of an automated biometric recognition system.
- The written consent of at least one parent must be obtained before the data are taken from the child and used (i.e. ‘processed’ – see 3 below). This applies to all pupils in schools and colleges under the age of 18. In no circumstances can a child’s biometric data be processed without written consent.
- Schools and colleges must not process the biometric data of a pupil (under 18 years of age) where:
- the child (whether verbally or non-verbally) objects or refuses to participate in the processing of their biometric data;
- no parent has consented in writing to the processing; or
- a parent has objected in writing to such processing, even if another parent has given written consent.
- Schools and colleges must provide reasonable alternative means of accessing services for those pupils who will not be using an automated biometric recognition system.
1 What is biometric data?
- Biometric data means personal information about an individual’s physical or behavioural characteristics that can be used to identify that person; this can include their fingerprints, facial shape, retina and iris patterns, and hand measurements.
- The Information Commissioner considers all biometric information to be personal data as defined by the Data Protection Act 1998; this means that it must be obtained, used and stored in accordance with that Act (see the Data Protection Act 1998 below).
- The Protection of Freedoms Act includes provisions which relate to the use of biometric data in schools and colleges when used as part of an automated biometric recognition system. These provisions are in addition to the requirements of the Data Protection Act 1998. (See the Protection of Freedoms Act 2012 below).
2 What is an automated biometric recognition system?
- An automated biometric recognition system uses technology which measures an individual’s physical or behavioural characteristics2 by using equipment that operates ‘automatically’ (i.e. electronically). Information from the individual is automatically compared with biometric information stored in the system to see if there is a match in order to recognise or identify the individual.
- Biometric recognition systems can use many kinds of physical or behavioural characteristics such as those listed in 1 above.
3 What does processing data mean?
‘Processing’ of biometric information includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including (but not limited to) disclosing it, deleting it, organising it or altering it. An automated biometric recognition system processes data when:
- recording pupils’ biometric data, for example, taking measurements from a fingerprint via a fingerprint scanner;
- storing pupils’ biometric information on a database system; or
- using that data as part of an electronic process, for example, by comparing it with biometric information stored on a database in order to identify or recognise pupils.