Biometric technologies have been making their way into schools for years. It’s not uncommon for biometric data to be used to automate tasks, like taking attendance, to free up the teacher’s time for more valuable work. However, controversy arose recently when a Sydney school introduced fingerprint scanners for students wishing to use the bathroom. Parents and students alike intuited that the technology was an invasion of privacy. But it begs the question: when does the use of biometrics in schools become a privacy issue?
Biometric information used to identify a person is considered sensitive information under Australia’s Privacy Act. Stricter requirements apply to the collection and use of sensitive information, including (in most circumstances):
We covered Australia’s biometric laws more extensively in our post about Using Biometrics in Australia.
Privacy issues are always compounded when they involve biometrics. Unlike passports or driver’s licenses, biometric data cannot be changed if it is subject to a breach. And biometric data breaches are not unheard of. Biometric data was taken by a hacker from a slot machine operator in the US, for instance. Similarly, human error (and poor security practices) meant that the fingerprints of more than 1 million people and facial recognition data was accessible on an unencrypted database in 2019.
Breached fingerprint data can (and has been) used by criminals for nefarious purposes, including accessing buildings and bypassing security systems that accept a photograph of a fingerprint.
Clearly, the use of biometrics must always be carefully balanced with the risks.
There are undoubtedly benefits of using biometrics in schools, including increased safety and accuracy of records. However, the benefits must very clearly outweigh the drawbacks and risks before biometrics are used in schools.
In the case outlined above, where the Sydney school attempted to introduce fingerprint scanners outside bathrooms, the risk they were hoping to prevent was the risk of vandalism. Using biometrics to prevent or reduce the risk of vandalism is clearly disproportionate to the risk – and parents, privacy experts, and students were right to get angry. (The school has since backflipped on this policy.)
A similar situation arose in Scotland when nine schools introduced biometric technologies designed to speed up the lunch line. The convenience of the technologies is undeniable, but does it justify the risk? Again, it appears that it was not. The UK’s privacy watchdog quickly got involved in this case, and the Scottish schools delayed introducing the facial recognition technology.
However, the biometric technologies available to schools are increasing – as is their use. Video surveillance and biometric attendance records are now commonplace in Australia. And the line between what’s acceptable and what’s not is faint.
In addition to being wary of allowing biometrics to creep into schools for purposes where the risk is not justified, schools must be alert to the risks associated with recording and storing biometric data – including via third-party platforms. No organisation is impervious to hacking or human error.
Schools should also be alert to ‘function creep’. The Office of the Victorian Information Commissioner defines function creep as:
“Function creep occurs when information is used for a different purpose than it was collected for. This becomes a concern when the secondary use is not communicated to the individual at the time of providing their information.
For example, an organisation may collect an employee’s facial biometric information for authentication purposes, such as to enable access to a building. That information may then be used for an unrelated secondary purpose, such as to monitor that employee’s start and finishing times.”
We would imagine the Sydney school suffered from function creep when it considered using fingerprint scanning for the bathrooms.
The OAIC’s Investigation into Clearview AI
7-11’s Use of Facial Recognition Penalised by OAIC
If your organisation is considering introducing biometric technologies to identify people, reach out. Our privacy lawyers will work with you to consider whether your planned use is legal and proportionate – and how you can minimise your risk.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
