Guidance on how the Data Protection Act 1998 applies to the use of biometric data in schools is published today by the British Education Communications and Technology Agency (BECTA).
Biometric data are increasingly being used in schools as the benefit for schools of running cashless lunch queues, and improved school libraries and attendance systems, become clear. This guidance advises schools to fully involve parents in any decision to introduce this new technology. It restates schools’ freedom to run themselves for the benefit of young people—including introducing new technology to make day-to-day administrative tasks easier.
The guidance also underlines that headteachers and governing bodies should be clear and open with all parents and pupils about this and all aspects of their education. This will involve explaining what biometric technology is, how it will be used, what is involved, what data will be held and stored, why they are required, how they are secured, and for how long they are retained. It also advises that schools should recognise some parents’ or pupils’ concerns over the introduction of biometric technology and offer alternative systems, like smartcards, to access the same services if they want to opt out.
Today’s guidance sets out how Data Protection Act 1998 applies to the use of biometric data in schools—building on BECTA’s existing guidance on data security and the data protection law.
The Data Protection Act requires that:
Schools cannot use biometric information for any purpose other than the express purpose for which it was collected. This means that data taken for use in a library, can only be used for that purpose;
Schools must process all personal data fairly and lawfully. This means that schools must ensure that all pupils, or their parents or those with parental responsibility if schools judge they cannot understand, know what personal information they have on record and how they intend to use it.
Schools cannot pass on biometric information to any outside organisation nor can third parties access this information;
Schools cannot keep personal data for longer than it is needed for its specified purpose. Pupils’ biometric data must therefore be destroyed when they have left the school.
Schools must put appropriate security measures in place to safeguard personal data from unauthorised processing and accidental loss, destruction or damage. BECTA gives clear guidance to schools on data and ICT security.
BECTA and the Information Commissioner already give schools clear guidance on how to comply with the Data Protection Act. This additional guidance is designed to help schools by confirming how the law relates to biometric data and how to comply with it.
I want parents to be fully engaged with every aspect of their children’s education—this is at the heart today’s guidance. We give schools complete freedom to run their own affairs and I back every head teacher’s right and professional judgment to choose technology to improve their day-to-day running—but it is plain common sense for them to talk to parents about this and all issues relating to their pupils to demystify how schools operate.
I have seen at first hand how well these systems work. They can speed up lunch queues, remove the need for children to carry money and take away the stigma of singling out those on free school meals. Moreover, they can enable schools to register pupils more easily as they move from class to class.
Schools are well used to handling sensitive information like attendance registers, behaviour records and home addresses. But we are absolutely clear that they have to comply with data protection laws. This means that this data can only be used for their explicitly stated purpose, cannot be shared with third parties beyond their stated purpose: and they must be destroyed when the pupil leaves the school.