About this advice

This is non-statutory advice from the Department for Education. It explains the legal duties schools and sixth-form colleges have if they wish to use biometric information about pupils for the purposes of using automated biometric recognition systems.

The duties on schools in the Protection of Freedoms Act 2012 set out in this advice come into effect from 1 September 2013.

Schools and colleges using automated biometric recognition systems, or planning to install them, are advised to plan, in advance, to make arrangements to notify parents and obtain the consent required under the new duties, as set out in the body of this advice. This will be particularly relevant for schools where pupils are already enrolled and using automated biometric recognition systems. There will be no circumstances in which a school or college can lawfully process, or continue to process, a pupil’s biometric data without having notified each parent of a child and received the necessary consent after the new duties come into effect.

This advice replaces Becta guidance on biometric technologies in schools.

Sixth-form colleges and 16-19 academies are covered by this advice. Separate advice will be issued by the Department for Business, Innovation and Skills to cover further education (FE) institutions with students under 18 years of age.

Expiry/review date

This advice will be kept under review and updated as necessary.

What legislation does this advice relate to?

The Protection of Freedoms Act 2012
The Data Protection Act 1998

Who is this advice for?

This advice is aimed at proprietors, governing bodies, headteachers and principals of all schools1, sixth-form colleges and 16-19 academies. It will also be of use to school and college staff, parents and pupils.

Key points

  • Schools and colleges that use pupils’ biometric data (see 1 below) must treat the data collected with appropriate care and must comply with the data protection principles, as set out in the Data Protection Act 1998.
  • Where the data are to be used as part of an automated biometric recognition system (see 2 below), schools and colleges must also comply with the additional requirements in sections 26 to 28 of the Protection of Freedoms Act 2012 (see Protection of Freedoms Act 2012 below).
  • Schools and colleges must ensure that each parent of a child is notified of the school’s intention to use the child’s biometric data (see 1 below) as part of an automated biometric recognition system.
  • The written consent of at least one parent must be obtained before the data are taken from the child and used (i.e. ‘processed’ – see 3 below). This applies to all pupils in schools and colleges under the age of 18. In no circumstances can a child’s biometric data be processed without written consent.
  • Schools and colleges must not process the biometric data of a pupil (under 18 years of age) where:
  1. the child (whether verbally or non-verbally) objects or refuses to participate in the processing of their biometric data;
  2. no parent has consented in writing to the processing; or
  3. a parent has objected in writing to such processing, even if another parent has given written consent.
  • Schools and colleges must provide reasonable alternative means of accessing services for those pupils who will not be using an automated biometric recognition system.

1 This includes academies, Free Schools, other types of independent schools, maintained schools and non-maintained special schools.

1 What is biometric data?

  1. Biometric data means personal information about an individual’s physical or behavioural characteristics that can be used to identify that person; this can include their fingerprints, facial shape, retina and iris patterns, and hand measurements.
  2. The information commissioner considers all biometric information to be personal data as defined by the Data Protection Act 1998; this means that it must be obtained, used and stored in accordance with that act (see the Data Protection Act 1998 below).
  3. The Protection of Freedoms Act includes provisions which relate to the use of biometric data in schools and colleges when used as part of an automated biometric recognition system. These provisions are in addition to the requirements of the Data Protection Act 1998 (see the Protection of Freedoms Act 2012 below).

2 What is an automated biometric recognition system?

  1. An automated biometric recognition system uses technology which measures an individual’s physical or behavioural characteristics2 by using equipment that operates automatically, i.e. electronically. Information from the individual is automatically compared with biometric information stored in the system to see if there is a match in order to recognise or identify the individual.
  2. Biometric recognition systems can use many kinds of physical or behavioural characteristics, such as those listed in 1, 1 above.

3 What does processing data mean?

Processing of biometric information includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data, including (but not limited to) disclosing it, deleting it, organising it or altering it3. An automated biometric recognition system processes data when:

  1.  
    1. recording pupils’ biometric data, for example, taking measurements from a fingerprint via a fingerprint scanner;
    2. storing pupils’ biometric information on a database system; or
    3. using that data as part of an electronic process, for example, by comparing it with biometric information stored on a database in order to identify or recognise pupils.
  2. More information on these topics is available via the Associated Resources section on this page.

2 Biometric systems usually store measurements taken from a person's physical/behavioural characteristics and not images of the characteristics themselves. For example, a fingerprint image is not stored on the system, but measurements from the fingerprint are converted into a template and the template is stored. The templates are also biometric data.

3 See section 1(1) of the Data Protection Act 1998.

The Protection of Freedoms Act 2012

4 Notification and parental consent

What the law says:

  1. Schools and colleges must notify each parent4 of a pupil under the age of 18 if they wish to take and subsequently use the child’s biometric data as part of an automated biometric recognition system.
  2. As long as the child or a parent does not object, the written consent of only one parent will be required for a school or college to process the child’s biometric information. A child does not have to object in writing but a parent’s objection must be written.
  3. Schools and colleges will not need to notify a particular parent or seek his or her consent if the school or college is satisfied that:
    1. the parent cannot be found, for example, his or her whereabouts or identity is not known;
    2. the parent lacks the mental capacity5  to object or to consent;
    3. the welfare of the child requires that a particular parent is not contacted, for example where a child has been separated from an abusive parent who is not to be informed of the child’s whereabouts; or
    4. where it is otherwise not reasonably practicable for a particular parent to be notified or for his or her consent to be obtained.
  4. Where neither of the parents of a child can be notified for one of the reasons set out above (which would mean consent cannot be obtained from either of them), section 27 of the Protection of Freedoms Act 2012 sets out who should, in such circumstances, be notified and who can give consent:
    1. if the child is being looked after by a local authority6  or is accommodated or maintained by a voluntary organisation, i.e. a not-for-profit organisation, the local authority, or as the case may be, the voluntary organisation must be notified and their consent written consent obtained.
    2. if paragraph (a) above does not apply, then notification must be sent to all those caring for the child and written consent must be gained from at least one carer before the child’s biometric data can be processed (subject to the child and none of the carers objecting in writing).
  5. There will never be any circumstances in which a school or college can lawfully process a child’s biometric information (for the purposes of using an automated biometric recognition system) without one of the persons above having given written consent.
  6. Under the Education (Pupil Registration) Regulations 2006, schools are required to keep an admissions register that includes the name and address of every person known to the school to be a parent of the child, including non-resident parents. Schools that wish to notify and seek consent to process a child’s biometric information at any point after the enrolment of a child should have contact details for most parents in the admission register.
  7. Schools should be alert to the fact that the admission register may, for some reason, not include the details of both parents. Where the name of only one parent is included in the admission register, schools should consider whether any reasonable steps can or should be taken to ascertain the details of the other parent. For example, the school might ask the parent who is included in the admission register or, where the school is aware of local authority or other agency involvement with the child and its family, may make enquiries with the local authority or other agency. Schools and colleges are not expected to engage the services of people tracer or detective agencies, but are expected to take reasonable steps to locate a parent before they are able to rely on the exemption in section 27(1)(a) of the Protection of Freedoms Act, i.e. notification of a parent not required if the parent cannot be found.
  8. An option would be for schools and colleges to notify parents that they intend to take and use their child’s biometric information as part of an automated biometric recognition system and seek written consent to do so at the same time as obtaining details of parents as part of the enrolment process. In other words, details of both parents would be requested by the school or college for both purposes (enrolment and notification of intention to process biometric information).
  9. Notification sent to parents should include information about the processing of their child’s biometric information that is sufficient to ensure that parents are fully informed about what is being proposed. This should include: details about the type of biometric information to be taken; how it will be used; the parents’ and the pupil’s right to refuse or withdraw their consent; and the school’s duty to provide reasonable alternative arrangements for those pupils whose information cannot be processed.

4 The parents of a child include not only the biological mother or father (or the adoptive parents), but any other individual with parental responsibility for the child. Part 1 of the Children Act 1989 sets out who has parental responsibility and what this means.
5 Within the meaning of the Mental Capacity Act 2005.
6 For example, the child is subject to a care order in favour of the local authority or the local authority provides accommodation for the child – see section 22 of the Children Act 1989 for the definition of looked after child.

5 The pupil’s right to refuse

What the law says:

  1. If a pupil under 18 objects or refuses to participate (or to continue to participate) in activities that involve the processing of their biometric data, the school or college must ensure that the pupil’s biometric data are not taken/used as part of a biometric recognition system. A pupil’s objection or refusal overrides any parental consent to the processing. Also note:
  2. Schools and colleges should take steps to ensure that pupils understand that they can object or refuse to allow their biometric data to be taken/used and that, if they do this, the school or college will have to provide them with an alternative method of accessing relevant services. The steps taken by schools and colleges to inform pupils should take account of their age and level of understanding. Parents should also be told of their child’s right to object or refuse and be encouraged to discuss this with their child.
  3. In addition to the required actions for notification and obtaining consent, schools may wish to include information in their privacy notices and explain how advice and suggested templates for privacy notices for schools can be found on the Department for Education website.

6 Providing alternatives

What the law says:

  1. Reasonable alternative arrangements must be provided for pupils who do not use automated biometric recognition systems, either because their parents have refused consent (or a parent has objected in writing) or due to the pupil’s own refusal to participate in the collection of their biometric data.
  2. The alternative arrangements should ensure that pupils do not suffer any disadvantage or difficulty in accessing services/premises and so on, as a result of their not participating in an automated biometric recognition system. Likewise, such arrangements should not place any additional burden on parents whose children are not participating in such a system.

The Data Protection Act 1998

  1. As data controllers, schools and colleges must process pupils’ personal data (which includes biometric data), in accordance with the Data Protection Act 1998 (DPA). The provisions in the Protection of Freedoms Act 2012 are in addition to the requirements under the DPA with which schools and colleges must continue to comply.
  2. The DPA has eight data protection principles with which all data controllers must comply.
  3. When processing a pupil’s personal data, including biometric data for the purposes of an automated biometric recognition system, schools and colleges must comply with these principles. This means, for example, that they are required to;
    1. Store biometric data securely to prevent any unauthorised or unlawful use.
    2. Not keep biometric data for longer than it is needed meaning that a school or college must destroy a child’s biometric data if, for whatever reason, the child no longer uses the system including when he or she leaves the school or college or where a parent withdraws consent or the child objects.
    3. Ensure that biometric data are used only for the purposes for which they are obtained and that such data are not unlawfully disclosed to third parties.

For further more information about the data protection principles and practical advice, see the Associated Resources section on this page.

Frequently asked questions

What information should schools provide to parents/pupils to help them decide whether to object or for parents to give their consent?

Any objection or consent by a parent must be an informed decision – as should any objection on the part of a child. Schools and colleges should take steps to ensure parents receive full information about the processing of their child’s biometric data including a description of the kind of system they plan to use, the nature of the data they process, the purpose of the processing and how the data will be obtained and used. Children should be provided with information in a manner that is appropriate to their age and understanding.

What if one parent disagrees with the other?

Schools and colleges will be required to notify each parent of a child whose biometric information they wish to collect/use.  If one parent objects in writing, then the school or college will not be permitted to take or use that child’s biometric data.

How will the child’s right to object work in practice – must they do so in writing?

A child is not required to object in writing. An older child may be more able to say that they object to the processing of their biometric data. A younger child may show reluctance to take part in the physical process of giving the data in other ways. In either case the school or college will not be permitted to collect or process the data.

Are schools required to ask/tell parents before introducing an automated biometric recognition system?

Schools are not required by law to consult parents before installing an automated biometric recognition system. However, they are required to notify parents and secure consent from at least one parent before biometric data is obtained or used for the purposes of such a system. It is up to schools to consider whether it is appropriate to consult parents and pupils in advance of introducing such a system.

Do schools need to renew consent every year?

No. The original written consent is valid until such time as it is withdrawn. However, it can be overridden, at any time if another parent or the child objects to the processing (subject to the parent’s objection being in writing). When the pupil leaves the school, their biometric data should be securely removed from the school’s biometric recognition system.

Do schools need to notify and obtain consent when the school introduces an additional, different type of automated biometric recognition system?

Yes, consent must be informed consent. If, for example, a school has obtained consent for a fingerprint/fingertip system for catering services and then later introduces a system for accessing library services using iris or retina scanning, then schools will have to meet the notification and consent requirements for the new system.

Can consent be withdrawn by a parent?

Parents will be able to withdraw their consent, in writing, at any time. In addition, either parent will be able to object to the processing at any time, but they must do so in writing.

When and how can a child object?

A child can object to the processing of their biometric data or refuse to take part at any stage – i.e. before the processing takes place or at any point after his or her biometric data has been obtained and is being used as part of a biometric recognition system.  If a pupil objects, the school or college must not start to process his or her biometric data or, if they are already doing this, must stop. The child does not have to object in writing.

Will consent given on entry to primary or secondary school be valid until the child leaves that school?

Yes. Consent will be valid until the child leaves the school – subject to any subsequent objection to the processing of the biometric data by the child or a written objection from a parent.  If any such objection is made, the biometric data should not be processed and the school or college must, in accordance with the Data Protection Act, remove it from the school’s system system by secure deletion.

Can the school notify parents and accept consent via email?

Yes – as long as the school is satisfied that the email contact details are accurate and the consent received is genuine.

Will parents be asked for retrospective consent?

No. Any processing that has taken place prior to the provisions in the Protection of Freedoms Act coming into force will not be affected. From 1 September 2013 (when the new duties in the Act take effect), any school or college wishing to continue to process biometric data from that date must have already sent the necessary notifications to each parent of a child and obtained the written consent from at least one of them before continuing to use their child’s biometric data.

Does the legislation cover other technologies, such as palm and iris scanning?

Yes. The legislation covers all systems that record or use physical or behavioural characteristics for the purpose of identification. This includes systems which use palm, iris or face recognition, as well as fingerprints.

Is parental notification and consent required under the Protection of Freedoms Act 2012 for the use of photographs and CCTV in schools?

No – not unless the use of photographs and CCTV is for the purposes of an automated biometric recognition system. However, schools and colleges must continue to comply with the requirements in the Data Protection Act 1998 (DPA) when using CCTV for general security purposes or when using photographs of pupils as part of a manual ID system or an automated system that uses barcodes to provide services to pupils. Depending on the activity concerned, consent may be required under the DPA before personal data is processed. The Government believes that the DPA requirements are sufficient to regulate the use of CCTV and photographs for purposes other than automated biometric recognition systems.

Photo ID card systems where a pupil’s photo is scanned automatically to provide him or her with services would come within the obligations on schools and colleges under sections 26 to 28 of the Protection of Freedoms Act 2012 as such systems fall within the definition in that Act of automated biometric recognition systems.

Is parental notification or consent required if a pupil uses or accesses standard commercial sites or software which use face recognition technology?

The provisions in the Protection of Freedoms Act 2012 only cover processing by or on behalf of a school or college. If a school or college wishes to use such software for school work or any school business, then the requirement to notify parents and to obtain written consent will apply. However, if a pupil is using this software for their own personal purposes then the provisions do not apply, even if the software is accessed using school or college equipment.

Template Notification and Consent Form

This can be found in the protection of biometric information of children in schools document in the Downloads section on this page.