Biometric data is rapidly becoming a big part of the data protection landscape in an ever-growing digital age. The latest guidance from the Department of Education sets out legal expectations of schools who choose to use biometric data, such as facial recognition or fingerprint scanning, in terms of protecting the data of their staff or pupils.

Some of these systems may already be in place in some schools or colleges, such as using cameras to collect images, creating facial recognition templates, which are then processed for use, for example for verifying identity.

The information collected by these systems falls under special category data, meaning education establishments (as the data collector) must process and store the information in a lawful, fair and transparent manner, always ensuring it is kept safe.

As with any collection of information, data controllers should always ensure consent is in place before processing, storing or using any form of personal data and ensure they undertake a Data Protection Impact Assessment (DPIA), which is a statutory requirement when collecting biometric data, or for any other such high-risk processing.

In this regard, biometric data should be processed in line with UK data protection legislation and any organisation collecting such data should follow the seven principles of the UK GDPR, outlining that personal data;

• Should be processed lawfully, fairly and in a transparent manner
• Shall be collected for specified, explicit and legitimate purposes
• Shall be adequate, relevant and limited to what is necessary
• Shall be accurate and, where necessary, kept up to date
• Shall be kept in a form which permits identification of individuals for no longer than necessary
• Shall be processed in a manner that ensures appropriate security of the data using appropriate organisational and technical measures
• Will be under the responsible compliance of the data controller, who can demonstrate said compliance with the UK GDPR

The decision to collect biometric data, through any method, rests with individual schools and colleges but each institution should take care and consideration that the purpose is always proportionate and necessary and always compliant with the UK GDPR and Data Protection Act 2018.

Our team have extensive experience working within the education sector. If we can help with any element of your data protection – get in touch with us below.  Read the full guidance from the Department of Education.