Baroness Chisholm of Owlpen (Con)

- Hansard -

Copy Link

-

My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for bringing to the House’s attention the important matter of facial and other biometric recognition technologies in schools. He says that I am versatile, but I think that he is versatile. I have been a Whip in many departments and I always seem to be answering his questions, whatever department I am in, so I think we are both the same in that regard. I also thank noble Lords who have given me notice of what they were going to bring up today; I cannot tell you how helpful that is.

There are differing views regarding use of this technology in schools and indeed across all aspects of society. The Government recognise the need for care and for checks and balances in a system where personal and sensitive information is used to enable pupils and, indeed, any citizen to undertake everyday activities, such as children paying for lunch or accessing the library. Therefore, the Government recognise—and the noble Lord, Lord Clement-Jones, mentioned—that this is a complex and challenging policy area.

My noble friend Lord Vaizey and the noble Baroness, Lady Falkner of Margravine, said that live facial recognition has quite a lot of inaccuracies. Certainly, the accuracy of any technique will depend on the technology and how it is used. Based on LFR trials, at worst there is a one in 1,000 chance of a false alert, and around a 70% chance of a true alert, if someone on a watchlist passes a camera. However, there can still be false alerts, which is why a human being always takes the final decision to engage with an individual match via the technology.

The Department for Education sets out in its non-statutory guidance, titled Protection of Biometric Information of Children in Schools and Colleges, information for schools and colleges if they wish to use personal information about pupils for the purposes of using automated biometric recognition systems. This guidance covers legal duties under the Protection of Freedoms Act 2012 in relation to the processing of biometric information in schools. It also covers the data protection regime. This debate has highlighted that the Department for Education’s guidance needs to be updated, and will be updated imminently, to refer to the most current UK data protection legislation, which is now the UK general data protection regulation or UK GDPR, and the Data Protection Act 2018.

The decision to use biometric technology rests entirely with individual schools, which are legally responsible, as per the GDPR, the Protection of Freedoms Act and Data Protection Act, for any data they gather and use. As such, the department believes that, if a school wishes to introduce biometric technology, it is rightly a decision for an individual school to make, based on its own operational needs and in consultation with its staff, pupils, parents and carers—and, importantly, having regard to among other things the relevant data protection law. We do not intend changing this fundamental principle of school autonomy on this matter.

Schools wishing to introduce biometric technology for pupils to access services, such as the purchase of school meals, must follow their legal responsibilities. This will include the recognition that processing biometric data for uniquely identifying a natural person is classed as a special category of personal data. This means that any school—the data controller—wishing to adopt biometric technology must ensure that their data protection impact assessment demonstrates that the processing of any personal data is lawful and meets the conditions for special categories. As stated in Article 9 of the UK GDPR, together with Schedule 1 to the Data Protection Act, the rules around sensitive processing as part of the DPA 2018 would still apply when facial images are used as biometrics—that is, they have been used in an identification process, such as via automated facial recognition.

The departmental guidelines highlight the requirement to obtain the appropriate consent from parents of children under 18, and set out the individual right of a parent and/or child to refuse consent to using biometric technology. Except in certain limited circumstances, a school or college can lawfully process a pupil’s biometric data only if it has notified each parent of a child of the intention to do so and received the necessary consent. There are exceptions to when a parent needs to consent and, in those cases, a person who cares for the child, or another body such as a local authority, needs to provide consent instead. The child themselves can object to the use of their biometric information and, if that happens, the information must not be processed even if a parent has consented.

The noble Lord, Lord Watson, asked about the age limit of children giving consent. Under Sections 26 and 27 of the Protection of Freedoms Act, there is no reference to a lower age limit in terms of a child’s right to refuse to participate in sharing their biometric data. Under the legislation, we are unable to remove or limit the right of any child to refuse consent to sharing their biometric data. On the question of who can give consent if it is not the parent, and what legal autonomy they have, I say that when a child is looked after and is subject to a care order in favour of the local authority, or the local authority provides accommodation for the child within the definition of Section 22 of the Children Act 1989, a school would not be required to notify or seek consent from the parents. I hope that covers the noble Lord’s questions.

Schools must find a reasonable alternative means for any pupils who opt out of using an automated biometric recognition system to access services. This is an especially important point: pupils should not be disadvantaged or receive access to fewer or different services because the school introduces biometrics. Several noble Lords asked whether it was a waste of time if schools are using two different systems. I think that we have seen that in several schools, which have stopped using this system because they find that they have to do a risk analysis, which has to be consent-based, and having the two systems can be difficult—because, if you are using facial recognition and some pupils do not want to use it, they still have to use the old system. As noble Lords pointed out, why in that case do not they just use the old system in the first place? There is still a long way to go here.

Schools—the data controller—must make sure that any biometric data is stored securely, is not kept longer than needed, is used only for the purpose for which it is obtained, and is not unlawfully disclosed to a third party. Any failure in meeting these requirements could result in referral to the Information Commissioner’s Office, which will take steps to understand any data breach, work with schools to address any failures and agree measures to help them to meet their legal requirements. In serious cases, enforcement notices may include an absolute ban on the processing of personal data. The Department for Education will continue to remind schools of their legal position in terms of the law and their duties within it, and provide an update to the published advice.

In deciding to implement this technology, each school should monitor and review the biometric technology’s effectiveness against its original purpose. Clearly, it is right that this must be a matter for individual schools. This action will ensure that the technology continues to be used for the reason it was intended and that it meets the legal duties, requirements and responsibilities under the Data Protection Act, UK GDPR and the Protection of Freedoms Act. As this is a decision for each school, the department would have no purpose to collect or store data related to a school’s use of biometric technology. There is no intention for this approach to change. One of the primary drivers for the department not intervening in this space is the broader legal framework and the checks and balances already in place.

The Information Commissioner’s Office is now one of the most important regulators in the UK, as noble Lords are aware, responsible for supervising and enforcing the application of data protection legislation across almost every organisation in the country. With the adoption of new systems comes the responsibility to make sure that data protection obligations are fulfilled and customers’ privacy rights addressed alongside any organisational benefit.

The Information Commissioner’s Office also recently provided, in June, its opinion on the use of live facial recognition technology in public places, with recommendations and next steps for data controllers. The department’s guidance for schools, when updated, will reflect the latest advice from the Information Commissioner’s Office on this important matter. The department is confident that schools have the support needed from the Information Commissioner’s Office to ensure they meet data protection standards, especially as schools adopt biometric technology for pupils to access services.  

In line with any changes as a consequence of the ongoing Department for Digital, Culture, Media and Sport consultation on data protection reform, which ends on 19 November, the Department for Education will update its current non-statutory guidance for schools. It will also update it to reflect any changes to the legal frameworks. The reform seeks to create a new, ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data for a better UK data rights regime—sorry, that sounds a bit like an advertisement.

I am sure the consideration of legislative changes will have been discussed, but at present there is no specific intention to introduce general legislation for use of biometric data in schools or society in general. However, as has been shown today by all noble Lords, this is such a fast-moving area; I cannot believe it will not be discussed at great length as far as legislation is concerned. All the concerns brought up today are very live and important and need a great deal of thought. I will take this back to the Department for Education, but it is the Department for Digital, Culture, Media and Sport which really needs to get involved in this. I think everyone is almost wondering what is coming next.

I hope I have given some answers to noble Lords’ concerns and thank them for all their helpful contributions to this debate. I look forward to working with noble Lords towards the Government’s aim to deliver data reforms in the future that will be forward-thinking and innovative and seek to maintain public trust and confidence in the responsible use of all data, including biometrics.