Biometrics in Schools and Privacy Issues: What Could Go Wrong?
Biometric technologies have been making their way into schools for years. It’s not uncommon for biometric data to be used to automate tasks, like taking attendance, to free up the teacher’s time for more valuable work. However, controversy arose recently when a Sydney school introduced fingerprint scanners for students wishing to use the bathroom. Parents and students alike intuited that the technology was an invasion of privacy. But it begs the question: when does the use of biometrics in schools become a privacy issue?
Is it Legal to Use Biometrics in Schools?
Biometric information used to identify a person is considered sensitive information under Australia’s Privacy Act. Stricter requirements apply to the collection and use of sensitive information, including (in most circumstances):
- Needing the consent of the individual, and
- Ensuring that the collection is reasonably necessary for one or more of the functions or activities of the organisation.
We covered Australia’s biometric laws more extensively in our post about Using Biometrics in Australia.
Biometrics Compound Privacy Issues
Privacy issues are always compounded when they involve biometrics. Unlike passports or driver’s licenses, biometric data cannot be changed if it is subject to a breach. And biometric data breaches are not unheard of. Biometric data was taken by a hacker from a slot machine operator in the US, for instance. Similarly, human error (and poor security practices) meant that the fingerprints of more than 1 million people and facial recognition data was accessible on an unencrypted database in 2019.
Breached fingerprint data can (and has been) used by criminals for nefarious purposes, including accessing buildings and bypassing security systems that accept a photograph of a fingerprint.
Clearly, the use of biometrics must always be carefully balanced with the risks.
The Issues with Using Biometrics in Schools
There are undoubtedly benefits of using biometrics in schools, including increased safety and accuracy of records. However, the benefits must very clearly outweigh the drawbacks and risks before biometrics are used in schools.
Balancing Risk with Reward When Using Biometrics in Schools
In the case outlined above, where the Sydney school attempted to introduce fingerprint scanners outside bathrooms, the risk they were hoping to prevent was the risk of vandalism. Using biometrics to prevent or reduce the risk of vandalism is clearly disproportionate to the risk – and parents, privacy experts, and students were right to get angry. (The school has since backflipped on this policy.)
A similar situation arose in Scotland when nine schools introduced biometric technologies designed to speed up the lunch line. The convenience of the technologies is undeniable, but does it justify the risk? Again, it appears that it was not. The UK’s privacy watchdog quickly got involved in this case, and the Scottish schools delayed introducing the facial recognition technology.
However, the biometric technologies available to schools are increasing – as is their use. Video surveillance and biometric attendance records are now commonplace in Australia. And the line between what’s acceptable and what’s not is faint.
Managing the Privacy Risk
In addition to being wary of allowing biometrics to creep into schools for purposes where the risk is not justified, schools must be alert to the risks associated with recording and storing biometric data – including via third-party platforms. No organisation is impervious to hacking or human error.
Schools should also be alert to ‘function creep’. The Office of the Victorian Information Commissioner defines function creep as:
“Function creep occurs when information is used for a different purpose than it was collected for. This becomes a concern when the secondary use is not communicated to the individual at the time of providing their information.
For example, an organisation may collect an employee’s facial biometric information for authentication purposes, such as to enable access to a building. That information may then be used for an unrelated secondary purpose, such as to monitor that employee’s start and finishing times.”
We would imagine the Sydney school suffered from function creep when it considered using fingerprint scanning for the bathrooms.
Other Resources on Biometrics
Speak With Our Privacy Lawyers
If your organisation is considering introducing biometric technologies to identify people, reach out. Our privacy lawyers will work with you to consider whether your planned use is legal and proportionate – and how you can minimise your risk.