The Do’s and Don'ts of Biometric Data in Schools

As schools increasingly adopt automated technologies, managing sensitive student information has become a top priority for leadership teams. Biometric systems may offer efficiency, but they also come with severe data privacy risks. Understanding your legal obligations is critical to protecting your students and staff, and in ensuring compliance.

What is Biometric Data?

Article 4(14) of the UK GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. The Data Protection Act 2018 adopts this definition, with an emphasis on the biological link to unique individual identification.

Biometric information is classified as Special Category Data under the law because it carries heightened, irreversible risks. Unlike a compromised password, a person cannot change their fingerprints after a data hack. Furthermore, biometric profiles can inadvertently reveal other protected traits such as sex, ages, or ethnicity. Because a breach carries permanent consequences, the Information Commissioner’s Office (ICO) holds schools to exceptionally high standards when processing this data.

How are Schools Using Biometric Data?

With biometric data linking measurable biological or behavioural characteristics to a specific individual and being used for identification, hypothetical use cases within schools include:

• Cashless catering biometric systems
• Facial recognition for improving CCTV or monitoring attendance
• Fingerprint scanners for library or books
• Emerging systems utilising voice or gait recognition

In Judicium’s experience supporting schools and trusts on biometric data, most live systems focus strictly on cashless catering. Other use cases are often dismissed during the planning phase in favour of less intrusive options.   

We frequently advise schools against adding facial recognition elements to existing CCTV systems. While it usually comes with justifiable reasons, such as highlighting safeguarding concerns with faces it does not recognise, we have yet to see a system that is able to properly allow data subjects to withhold consent. A compliant facial recognition framework is theoretically possible to design, but it requires an exhaustive technical audit of the software architecture before deployment.

Why Might Schools Look to Utilise Biometrics?

In most cases, biometric data is used to increase the efficiency of service provision. For example, cashless catering utilises it to cut down lost time due to misplaced or forgotten cards or time-consuming data entry, to move more bodies through the system quickly. Biometrics can help streamline an existing system; it can also offer unique benefits like automatic identification. However, these uses should be approached with caution, as misuse or overuse of biometric data can have an intrusive impact on individual’s privacy, which the ICO treats very seriously.

What are the Legal and Regulatory Frameworks Around Biometric Data?

The processing of biometric data in UK schools is governed by a strict legal matrix comprised of two primary statutes and statutory guidance from the Department for Education (DfE). Together, these instruments dictate how schools must handle sensitive pupil data, elevating student autonomy and parental rights above standard administrative convenience.

Protection of Freedoms Act 2012 (PoFA)

Under PoFA 2012, schools must obtain written parental consent before processing biometric data for any child under the age of 18. According to DfE guidance, this consent can be vetoed by either parent. If one parent objects, the school cannot legally process the child's data, regardless of the other parent's approval. Crucially, a child maintains total autonomy; if a student refuses to participate, the school cannot bypass their refusal using parental consent. While parental consent must be explicitly documented in writing, a child can withdraw their consent verbally or through actions alone at any time.

Data Protection Act 2018 & UK GDPR

Because biometrics constitute Special Category Data, schools must establish a valid lawful basis alongside a specific condition under Article 9. In a school setting, this legal condition will always be explicit consent.

For consent to be legally valid, it must be informed, specific and freely given. And to ensure that consent is freely given, a genuine opt-out alternative must be available, which cannot significantly disadvantage a person who chooses not to provide their consent. If the alternative provision is overly convoluted or onerous, then there is a good argument that any consent has not been freely given, which opens the door to potential criticism. Common alternatives are the use of individual PIN or ID cards.

When it comes to data retention, data stored must be limited to only what is needed to achieve the desired outcome. The store biometric templates must also be deleted when a student leaves school or stops using the system. As soon as the justification has been removed, the data must be deleted.

What are Some Practical Considerations Schools and Trusts Should Have Prior to Using Biometric Data?

Introducing biometric data into a school environment demands meticulous planning, beginning with a comprehensive Data Protection Impact Assessment (DPIA) to test if less intrusive methods could work instead. This planning stage requires schools to actively consult with parties like parents, pupils, and potentially governors. Failing to establish these safeguards risks severe scrutiny from the ICO during a breach, who will be looking for clear security documentation, full data encryption, and local storage configurations rather than standard cloud hosting. Although establishing this framework sounds highly complex, Judicium’s Data Protection services is here to assist you. Our experts can help ensure your school and trust remains fully compliant by updating your privacy notices, structuring your consent forms, and aligning your data retention policies.