The annual Information Commissioner’s Office (ICO) conference may not be on the radar of schools and academies, but they were firmly in its sights this year.
In his in October, the information commissioner, John Edwards, made it clear that his regulatory focus in 2025 is to ensure that children’s personal data is protected, and that AI or biometric processing is risk-assessed so any data protection concerns are minimised.
The following week, he wrote a public letter to all organisations imploring them to be more proactive in preventing data breaches and more responsive when there is a breach.
Early warnings over data protection
With the education sector representing 14 per cent of all data breaches reported to the ICO in 2023 - second only to the health sector at 17 per cent - schools are clearly within the scope of this renewed focus.
This means schools must pay particular attention to the high-risk biometric processing that is increasingly being rolled out via fingerprint and facial recognition technology (FRT), most commonly for efficient school meal payments.
The ICO has already reprimanded schools for using the technology in this way without considering the privacy implications.
For example, in January 2023, it issued a to raise schools’ awareness of the data protection implications of the procurement of FRT.
Then, in July 2024, to a school in Essex for failing to comply with the law when installing a facial recognition system in its canteen.
The school didn’t consult its data protection officer (DPO) or carry out a data protection impact assessment (DPIA) before installing the technology.
With this renewed focus on children’s personal data and biometric processing, schools should now be on alert for harsher regulatory action if they fail to safeguard pupil biometric data.
These concerns - coupled with the Department for Education’s guidance stating FRT will often not be appropriate and urging schools to establish whether it is both necessary and proportionate - may make many schools back away from this area.
But if schools are keen to embrace the benefits it can provide, what are the key steps to remain compliant and avoid a brush with the regulator?
Here’s how schools can ensure they remain compliant with data protection law.
1. Bring the DPO in from the start
The first takeaway should be for any school or trust to involve their DPO from the outset of a procurement exercise, or even a change to an existing process.
They can bring a focus on privacy issues, the extent of the data processing, risks associated with it and how to mitigate these.
Involving a DPO early can also help to frame a school or trust’s approach to the market, ensuring potential providers are required to set out how they will comply with their data protection obligations and how they can help with the school’s own compliance needs.
If privacy and processing issues are treated as an afterthought, once contracts have been signed and timelines agreed, the DPO could face pressure to not delay the project.
Instead, allow the DPO to be an enabler of safe innovation.
2. Put the DPIA front and centre
A key part of the DPO’s work will be to engage with vendors and internal stakeholders, such as the IT lead, in the completion of a DPIA, which acts like a health and safety risk assessment for processing personal data.
A DPIA involves identifying the potential risks to individuals’ personal data, evaluating the necessity and proportionality of the processing activities, and implementing appropriate measures to address those risks.
This is a legal requirement, under the UK’s General Data Protection Regulation (GDPR), for activities that are likely to result in a high risk to individuals’ data protection rights and freedoms.
Any leader not aware of a DPIA for a project involving biometrics or FRT should raise this at the earliest opportunity.
3. Ensure consent from parents
Facial recognition technology clearly meets this definition and also means a higher level of consent is required.
The school must receive consent from at least one parent, carer or legal guardian of each child whose biometric data it intends to process. If any other parent or the pupil in question objects, the data can’t be used.
As such, make sure any communication to parents that requests consent is unambiguous and gives notice as early as possible - and offers plenty of opportunity for questions and feedback.
Claire Archibald is a legal director specialising in data protection at UK and Ireland law firm Browne Jacobson
For the latest education news and analysis delivered every weekday morning, sign up for the Tes Daily newsletter
