In March 2020, the President of the Personal Data Protection Office in Poland, using the General Data Protection Regulation (GDPR), imposed a fine on a primary school processing the biometric data of children to verify payments made in the canteen. The school had written consent of the parents to use the data, but the ruling judged that other forms of identification were able to be used to confirm the child’s identity (and indeed were in use for those children for whom parental consent was not in place). The ruling further determined that children not using biometric data were unfairly disadvantaged within the school canteen entry arrangements.
Citing the need to ensure special protection of children’s data and the categorisation of biometric data as a ‘special category’ of data, the school was fined and ordered to erase all biometric data and cease any future collection of such data. https://uodo.gov.pl/en/553/1102
The GDPR is European legislation and remains in force whilst the UK transitions from the EU following Brexit, though data protection has already been adopted into UK legislation via the Data Protection Act. As such, the current position of the UK’s Information Commissioner is that it has:
“A duty to co-operate with European and other international partners, including the European Commission and other data protection authorities. This co-operation includes:
• Sharing information and good practice.
• Helping with complaints, investigation, and enforcement; and
• Working together to improve understanding of data protection law and produce common positions and guidance where appropriate and necessary”.
The last of these points indicates that whilst there are no current UK rulings on this matter, there could be in the future if the Polish ruling becomes the ‘common position’ across the EU.
For now, UK guidance permits the use of biometric data, but education leaders should keep a watchful eye on guidance and may also wish to consider any future investment in biometrics until the UK position is clear.
If you would like an audit of your GDPR arrangements, please contact Helen Armstrong and our qualified GDPR practitioner would be delighted to assist.
For further information about any of the above please contact Helen Armstrong via email firstname.lastname@example.org