How To Process Biometric Data Appropriately

Schools are increasingly gravitating towards automated biometric systems for the authentication and security of their students. These systems are implemented into, nowadays, everyday devices such as your phone or your laptop, even the third party applications that you download. However, they are oftentimes used within schools for students to pay for their school lunches.

With this identification technology becoming so accessible, schools’ desire to utilise these systems is comprehensible. However, new systems such as these complexify the way in which your organisation processes data. Implementing these systems into your organisation without the appropriate risk assessment like a Data Protection Impact Assessment (DPIA), increases the risk of a data incident in your organisation.

What is Biometric Data?

The GDPR specifies biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person...”

In layman’s terms, biometric data is any data that can be used to identify a specific person. This makes it highly sensitive, special category data that must be processed appropriately to protect the safety of your students.

How do I know if my school is processing biometric data?

When using any form of fingerprint scanning system for student attendance or school lunch payment, biometric data will be collected and processed within your system or through a third party service.

Applications such as Apple Photos and Facebook automatically use facial recognition, using these devices to take and post pictures of students means that you are processing their biometric data even if it is without intention. It is imperative that you understand how you are processing this data and where it is being shared for the safety and safeguarding of your students. 9ine’s DPIA service provides a consistent approach to assessment, evaluation and management of your organisation’s data protection vulnerabilities. This will help you to ensure that you are compliant with GDPR and safeguarding policies.

How Do I Follow The Guidelines?

Guidelines and regulations vary across the globe. In the UK, there are specific provisions set out in the Protection of Freedoms Acts 2012 which require that:

• Processing of students’ biometric data must protect their rights and freedoms
• Schools must notify each parent if they wish to use any child's biometric data as part of an automated biometric recognition system
• The processing of biometric data must be performed under contract based, unambiguous, affirmative consent
• Consent must come from at least one of the student’s parents
• The student’s right to refuse is valid when handling biometric data, this overrides parental consent
• Biometric data can only be used in appropriate accordance with what has been consented to under contract
• Schools and colleges must provide reasonable alternative means of accessing services for any pupil who will not be using an automated biometric recognition system
  

When schools haven’t processed biometric data appropriately...

An unidentified school in Gdansk, Poland was fined €4,600 for breaching GDPR policies by processing the fingerprints of hundreds of children to check whether they had paid for lunch using their fingerprint scanning system.

Processing the students’ biometric data in this instance was not deemed appropriate, it was also concluded that students who used the fingerprint scanner to pay for lunch were favoured over students who did not. Through this, it was deemed that school was not complying with GDPR, and thus fined.

The school was liable for conviction due to neglecting their data protection and safeguarding obligations as the ‘data collector’. Because this school allowed their students’ special category data to be processed under no appropriate legal basis, they were not only fined, but they neglected their duty to protect their students’ rights and freedoms resulting in reputational damage.

How can I prevent biometric data incidents?

When handling sensitive data such as biometrics, prevention is inherently better than a cure. Mitigating procedures, such as a DPIA, are imperative in understanding the data protection and safeguarding risks within your organisation, and how to minimise them.

The 9ine App DPIA feature allows you to identify the measures that need to be implemented into your organisation to objectively evaluate and understand the risks of processing. Through assessing your risks and understanding how to mitigate them, the 9ine app alleviates the struggle of any complexities that your organisation could face when performing a DPIA.