Student's hand placing their index finger on a fingerprint scanner biometrics in schools

Biometrics in Schools and Privacy Issues: What Could Go Wrong?

Published at 09:16 on 28 Oct 2022

Biometric technologies have been making their way into schools for years. It’s not uncommon for biometric data to be used to automate tasks, like taking attendance, to free up the teacher’s time for more valuable work. However, controversy arose recently when a Sydney school introduced fingerprint scanners for students wishing to use the bathroom. Parents and students alike intuited that the technology was an invasion of privacy. But it begs the question: when does the use of biometrics in schools become a privacy issue?  

Is it Legal to Use Biometrics in Schools?  

Biometric information used to identify a person is considered sensitive information under Australia’s Privacy Act. Stricter requirements apply to the collection and use of sensitive information, including (in most circumstances): 

  • Needing the consent of the individual, and 
  • Ensuring that the collection is reasonably necessary for one or more of the functions or activities of the organisation. 

We covered Australia’s biometric laws more extensively in our post about Using Biometrics in Australia. 

Biometrics Compound Privacy Issues 

Privacy issues are always compounded when they involve biometrics. Unlike passports or driver’s licenses, biometric data cannot be changed if it is subject to a breach. And biometric data breaches are not unheard of. Biometric data was taken by a hacker from a slot machine operator in the US, for instance. Similarly, human error (and poor security practices) meant that the fingerprints of more than 1 million people and facial recognition data was accessible on an unencrypted database in 2019. 

Breached fingerprint data can (and has been) used by criminals for nefarious purposes, including accessing buildings and bypassing security systems that accept a photograph of a fingerprint.  

Clearly, the use of biometrics must always be carefully balanced with the risks.  

The Issues with Using Biometrics in Schools 

There are undoubtedly benefits of using biometrics in schools, including increased safety and accuracy of records. However, the benefits must very clearly outweigh the drawbacks and risks before biometrics are used in schools.  

Biometric print of a school girl's iris

Balancing Risk with Reward When Using Biometrics in Schools 

In the case outlined above, where the Sydney school attempted to introduce fingerprint scanners outside bathrooms, the risk they were hoping to prevent was the risk of vandalism. Using biometrics to prevent or reduce the risk of vandalism is clearly disproportionate to the risk – and parents, privacy experts, and students were right to get angry. (The school has since backflipped on this policy.) 

A similar situation arose in Scotland when nine schools introduced biometric technologies designed to speed up the lunch line. The convenience of the technologies is undeniable, but does it justify the risk? Again, it appears that it was not. The UK’s privacy watchdog quickly got involved in this case, and the Scottish schools delayed introducing the facial recognition technology.  

However, the biometric technologies available to schools are increasing – as is their use. Video surveillance and biometric attendance records are now commonplace in Australia. And the line between what’s acceptable and what’s not is faint.  

Managing the Privacy Risk 

In addition to being wary of allowing biometrics to creep into schools for purposes where the risk is not justified, schools must be alert to the risks associated with recording and storing biometric data – including via third-party platforms. No organisation is impervious to hacking or human error.  

Schools should also be alert to ‘function creep’. The Office of the Victorian Information Commissioner defines function creep as 

“Function creep occurs when information is used for a different purpose than it was collected for. This becomes a concern when the secondary use is not communicated to the individual at the time of providing their information.

For example, an organisation may collect an employee’s facial biometric information for authentication purposes, such as to enable access to a building. That information may then be used for an unrelated secondary purpose, such as to monitor that employee’s start and finishing times.”

We would imagine the Sydney school suffered from function creep when it considered using fingerprint scanning for the bathrooms. 

Other Resources on Biometrics 

The OAIC’s Investigation into Clearview AI  

7-11’s Use of Facial Recognition Penalised by OAIC 

Speak With Our Privacy Lawyers 

If your organisation is considering introducing biometric technologies to identify people, reach out. Our privacy lawyers will work with you to consider whether your planned use is legal and proportionate – and how you can minimise your risk.  

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.