The data controller, Chelmer Valley High School, are an academy school located in Essex providing education for around 1,200 students ages 11 to 18. The reprimand concerned FRT which processes biometric data to uniquely identify people and is likely to result in high data protection risks. The school had been using fingerprint technology to manage the cashless catering and canteen since 2016 and introduced FRT in March 2023.
The school was reprimanded for failing to:
The reprimand recommends several further actions the school should take. Although such recommendations are not legally binding directions, it includes: completing a DPIA prior to new processing operations, or upon changes to the nature, scope, context or purposes of processing for activities that pose a high risk to the rights and freedoms of data subjects; amend the current DPIA to give thorough consideration to the necessity and proportionality of cashless catering, and to mitigating specific, additional risks such as bias and discrimination; and amend privacy information given to students so that it provides for their information rights under the UK GDPR in an appropriate way.
This enforcement action exemplifies of the importance of completing a DPIA prior to commencing any processing that is likely to result in a high risk to the rights and freedoms of individuals – it is clear that completing a DPIA as a “tick-box” exercise after commencing the processing will not be enough to comply with data protection laws.
If you would like to keep up to date on the latest in data protection, please get in touch to subscribe to our newsletter, The Data Download.