Thursday, June 23, 2016

Schools asking for consent to process children's biometrics

I am getting a lot of emails from concerned parents of children leaving primary school to go to secondary school with the way that the secondary schools are asking for consent to use their child's biometrics - fingerprint, fingertip data - and not offering an alternative method to access the catering, library, registration, etc, system.  In this parents are feeling that their request for consent is coerced.

Schools MUST offer an alternative to biometricsThe Protection of Freedoms Act 2012, Chapter 2, Section 27 (7) states that: 

The relevant authority must ensure that reasonable alternative means are available by which the child may do, or be subject to, anything which the child would have been able to do, or be subject to, had the child’s biometric information been processed.

Unfortunately some parents have been made to feel from schools that they are being unreasonable in not giving consent and that they are they only one objecting to biometric consent.  You are not a 'problem parent'.  You and your child have a right to not give the school biometric data - data that is absolutely unique, personal, highly precious and that needs to be secure for the child's life time.

Parents feeling isolated by a school is a story I have heard over the past 10 years so many times from so many parents - you are not alone at all.  I myself last year, when my child entered sixth form, was told by the Principal that I was the only parent objecting to them using my child's biometrics - I was not.

Quite often the supplier of the biometric system to the school will also offer alternative means of accessing the system they provide.  Examples are swipe card, PIN number and taking the names of the children at the point of sale at the till, so it shouldn't be an inconvenience for the school to offer alternative means of identification.

The new EU General Data Protection Regulations is law for every member state of the EU, including us.  It came into law 27th April 2016.  Schools are subject to this.

Point 32 states:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

Point 42 states:
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

If anyone has any concerns or questions please don't hesitate to get in touch, I'm really happy to help if I can.

Monday, February 01, 2016

Consider carefully when consenting to children's biometrics in schools

'Turning fingers into keys'
Credit: kaprik/
There is a great article written by Brian Patton, University of Oxford, entitled "The trouble with taking biometric technology into schools", that appeared in The Conversation earlier this month, which every parent and student should read before considering using their biometrics in schools.

Other than copy most of the article into this post I would urge a read of the article which succinctly discusses security, effectiveness, implications of a data breach and consent.  

Schools and biometric companies supplying schools are keen to reassure parents and students that it is not a (pictorial) fingerprint that is being stored but simply a number string -  a number string completely unique and specific to your child's 'bio' body 'metric' measure.

Patton makes the valid point that:

"For other biometric data it's important to remember that what is being matched within the computer is not, say, one fingerprint against another. It is a set of data drawn from the features of the scanned body part – a numerical abstraction. Steal this key and you have effectively stolen that part of the person."

He also goes on to say that,

"...a  data breach will mean these type of scans will be untrustworthy for the pupils – for the rest of their lives.
And therein lies another issue: with the potential for life-long consequences, are pupils, some below the age of 16, competent to opt in to such a scheme? And what of those who opt out? It's one thing to ask adults to weigh up the balance between convenience and risk, but there are two likely issues that would make this harder in schools. There is an inbalance of power between those wanting to implement the technology and those subject to it.  This raises serious concerns about informed consent – perhaps one of the reasons why in 2012 using biometrics was banned in English state schoolswithout parents' consent."

It is unclear if there have been any data breaches of biometric databases in schools as the UK Information Commissioner's Office (responsible for the UK Data Protection Act), in response to a Freedom of Information request regarding compromised biometric databases specifically in education, are "unable to conduct an electronic search of our system using the term ‘biometric" and so could not supply information on if there has been any data breaches of children's biometric data in schools.

There are potentially long term, unknown consequences to this biometric technology used on the youngest generation in society - we are experimenting with it on our children in schools for daily activities that can be easily undertaken, quite adequately, without the use of biometrics.

I guess an individual will only know when their biometric data has been compromised when in the future they hit a problem regarding their biometrics.  How will they know when it was compromised, by whom and where their very personal digital identity has gone? 

In the words of Brian Drury, IT Security Consultant:

"Once a child has touched a [biometric] scanner they will be at the mercy of the matching algorithm for the rest of their lives."