Swedish school violates GDPR by using facial recognition software: Fine in the amount of 20.000 €
The Swedish community of Skelleftea, hometown of writer and journalist Stieg Larsson, has now attracted media attention for other reasons.
The secondary school Anderstorp’s applied a facial recognition software in collaboration with the IT company Tieto. Teachers wanted to save 17.000 hours a year of attendance checks and focus more on class content.
The Swedish data protection authority acquired knowledge of the experiment through a report in the magazine Computer Sweden and began investigations. The pilot program ended in a fiasco: The data protection authority imposed a fine in the amount of 200.000 SEK (20.000 Euro) for violation of the GDPR.
The school wanted to replace the class book with biometric analysis software
Over three weeks, the pilot program collected biometric data from 22 students. The project should be expanded, and the well-known class register with its elaborate attendance lists should soon be part of history. According to the participants, everything worked to their considerable satisfaction until the data protection authority was alerted by a published report of the experiment. The pilot program was not in line with European data protection rules.
The processing of biometric data is governed by strict conditions of the GDPR
Art. 9 GDPR generally prohibits the processing of biometric data classified as “special categories of personal data”:
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
The permission of the parents was not sufficient
An exception can, but does not have to, come into question, if the person concerned has given his or her effective permission. In the present case, the authority classified the existing parental permission as insufficient because the data were particularly in need of protection. The classroom is a private room and the pupils must be able to rely on it. In addition, the data protection authority stated that the express permission of the parents as legal representatives was not sufficient, because they were in some way dependent on the school authorities. This means that it cannot be assumed that they agreed to the program 100% of their own free will. The data protection authority also took into account that the school didn’t informed it, before the program was started.There was no adequate data protection impact assessment, which would have been necessary due to the sensitivity of pupil data.
The fact that the attempt was limited in time played a role in determining the amount of the fine. If the school had applied the pilot programme longer, the fine would have been significantly higher. This was the first time that fines were imposed in Sweden in connection with a data breach.
Biometric controls are the future; if used correctly, effective controls to avert danger can be achieved at the workplace and at public events. Nevertheless, data protection aspects must be embedded as a restrictive element in any introduction model or pilot program.