Thursday, September 07, 2006

Schools fingerprinting children - Data Protection Implications

It seems as though everybody wants to fingerprint your children these days. The latest issue is whether schools can fingerprint children without so much as a parental by your leave. The Register has a very interesting discussion of the data protection issues involved:
Parents cannot prevent schools from taking their children's fingerprints, according to the Department for Education and Skills and the Information Commissioner.

But parents who have campaigned against school fingerprinting might still be able to bring individual complaints against schools under the Data Protection Act (DPA).

DfES admitted to The Register that schools can fingerprint children without parents' permission.

This position has also been taken by the Information Commissioner, who interprets and enforces the Data Protection Act - the law privacy campaigners hope might be used to stop schools fingerprinting their children.

The Information Commissioner's Office (ICO) is drawing up guidance on the use of fingerprints for purposes other than law-enforcement. The guidance will say once and for all whether parents can prevent their children's fingerprints being taken.

David Smith, deputy Information Commissioner, said it was a complex issue that was still being worked out, but it was likely that parents did not have an automatic right to decide whether their children's biometrics could be taken by a school.

"The Data Protection Act talks of consent of the individual - essentially that's consent of the child," he said.

"Now there's a requirement that consent is informed and freely given. That will depend on the age of the child," he said.
Update: Spongebobb asks what the situation would be in Ireland. The Irish Data Protection Commissioner has given guidance on whether children can consent to the use of their personal information, though this doesn't specifically address this situation:
The minimum age at which consent can be legitimately obtained is not defined in the Data Protection Act, 1988.

Section 2A(1) of the Acts states that consent cannot be obtained from a person who, by reason of age, is likely to be unable to appreciate the nature and effect of such consent. Judging maturity will vary from case to case.

In the medical area, the GPIT Guide ( suggests that an individual may be assumed to be competent to give consent for medical purposes on reaching the age of 16 years. Where the individual is below that age, consent may still be given, but this requires that the medical practitioner involved must assess whether a child or young person has the maturity to understand and make their own decisions about the handling of their personal health information. In relation to the right of access to health data, where the individual is below 16 years, it was recommended that the general practitioner should use professional judgement on a case by case basis, on whether the entitlement to access should be exercisable by (i) the individual alone, (ii) a parent or guardian alone, or (iii) both jointly. In making a decision, particular regard should be had to the maturity of the young person concerned and his or her best interests.

In the marketing area, where sensitive data is not involved, including on websites, a lower threshold may be permissible. For example, it is a matter for a company to judge if a 14 year old can appreciate the issues surrounding consent and to be able to demonstrate that a person of that age can understand the information supplied and the implications of giving consent. While care should be taken that a person under that age would not be enticed into a deception concerning his/her age, a clear statement that an age limit applies would normally suffice. Where the company becomes aware at a later date that a person has supplied false age-related information, then that data subject's details should be removed from the live site. Sufficient identifiers may be retained purely for the purpose of blocking future entry attempts by that individual.

Where the company accepts that an individual is a minor and are seeking parental consent, e-mail might not be the best medium, unless they can establish that the e-mail address is genuinely a parent/guardian's e-mail address. A postal address is more readily authenticated, though it still does not preclude a letter being addressed to a sibling.
The closest Irish precedent is a case involving a primary school which put the personal details of pupils on a website without parental consent. The Data Protection Commissioner took a dim view of this:
A parent contacted my Office to complain that the local primary school was publishing personal details of pupils on the school web site, without the knowledge or consent of parents. The details included photographic images of named individual pupils, as well as general details volunteered by pupils regarding their hobbies, likes and dislikes. The parent was concerned that the non-selective publication of children’s details in this way was inappropriate, and could expose the children to unnecessary risks. The parent had raised the matter with the school authorities and was very dissatisfied with the response she had received.

I immediately contacted the school principal to arrange that personal details relating to identifiable children would be deleted from the web site, pending an urgent meeting on this matter. At the meeting, the school principal explained that the web site had been set up several weeks previously in order to meet the educational needs of children in relation to computing. The pupils themselves had been quite positive about the development. Photographs of individual pupils in the junior and senior infants classes had been posted on the web site. Other pupils had been invited to contribute to the web site through other activities, such as filling out questionnaires giving personal information that would be of interest to pupils in other schools, both nationally and internationally. It was noted that the school web site had been given an award by an internet service company in recognition of its merit. As regards parental consent, the principal said that the new web site had been mentioned in a recent school newsletter, and that parents had been invited to come to the school to check it out for themselves.

I pointed out that section 2(1)(a) of the Data Protection Act requires that personal data "shall have been obtained, and the data shall be processed, fairly ". When dealing with personal data relating to schoolchildren, "fairness" in my judgement requires that the clear and informed consent of parents or guardians must be obtained before any use is made of the children’s data. This is particularly so where the use envisaged involves the posting of data on the worldwide web. The principal accepted these points and undertook not to post personal details of schoolchildren on the web site except with the express authorisation of a parent or guardian.
Of course, the children in this case were of primary school age and so unlikely to be able to give an informed consent. It leaves open the question of whether parental consent could still be required in respect of an older child.

1 comment: