Policy update on data protection and biometric data

In the final weeks of the summer term, members may have missed the new guidance issued by Becta, but sponsored by the DCSF, on the collection and use of biometric data in schools. For a copy, go to schools.becta.org.uk and search for biometric systems.

Becta issued the guidance after consultation with the DCSF and the Office of the Information Commissioner. However, it comes with a heath warning - on the DCSF website - that the law is still developing and the guidance could change.

This is just as well because part of the rationale given to justify collecting data (the catch-all phrase that gives schools and colleges power 'to do anything necessary...' to carry out their duties) has already been dealt a blow by the European Court of Human Rights in respect to monitoring staff communications. See page 13 for more on that issue.

Collection of personal biometric data is limited by the technical specifications issued both by Becta and by the Information Commissioner. Schools and colleges should make sure that any contract they sign specifically states that the equipment and systems meet these specifications - even if it is done through a third party purchaser.

The Becta guidance states that under Data Protection law, consent of parents or pupils is not strictly required. However its advice, which ASCL strongly supports, is that parents and pupils should be informed before the school or college implements any kind of biometric data collection or processing.

It would be sensible to offer an alternative method (eg cash or ticket payment for food in the canteen) for people who do not want this data collected.

The guidance also reminds schools and colleges that they must observe the principles of the Data Protection Act - this includes the prohibition on passing data to a third party. For more on data protection, see ASCL guidance paper 34.

Specififically, information collected for one purpose may not be used for another. For example, biometric data which is collected for use in the library should not later be given to another party, or the material simply copied across, for another purpose.

If schools and colleges intend to use biometric data in a variety of ways, this should be declared at the outset. Of course, systems do develop and expand and, if this happens, students and parents, if relevant, should again be notifified.

On a related note, the DCSF has issued advice on changes to the Fair Processing Notice (FPN) which schools are expected to issue to parents and children over 12 and colleges are expected to send to all students.

Local authorities have been told to ensure that all schools have issued revised FPNs by the end of the autumn/winter term 2007. This is to take account particularly of the introduction of the MIAP programme and of Contact Point.

The FPN guidance at www.teachernet.gov.uk/management/ims/datamanagement/fpnpupils offers three 'layers' of notice and suggests that parents and children should receive a Level 1 notice. There is parallel guidance for state-sponsored and independent schools.