A school was reprimanded by the UK data privacy watchdog over its use of facial recognition to process cashless payments in its canteen. 

Chelmer Valley High School in Chelmsford, Essex, implemented the technology in March 2023 without first conducting a data protection impact assessment (DPIA) or obtaining explicit consent from students and parents, according to the Information Commissioner's Office.  

A DPIA is required under the UK General Data Protection Regulation (UK GDPR). The school's DPIA was only completed in November 2023, months after the technology had been in use.

The school has also sent a letter to parents in March 2023 allowing them to opt-out their children but did not seek explicit consent, assuming approval by default. This approach was deemed invalid by the ICO, as consent must be an affirmative action.

The ICO highlighted that most students were old enough to provide their own consent, and the parental opt-out system limited their ability to exercise their rights and freedoms regarding their biometric data.

The regulator recommended that the school improve its data protection practices, including conducting thorough DPIAs and obtaining explicit opt-in consent from students. 

The ICO's reprimand serves as a reminder to UK-based educational institutions about the importance of adhering to data protection laws when implementing AI and other new technologies.