A primary school in the city of Gdansk, Poland, has been fined $5,200 under Europe’s General Data Protection Regulation (GDPR) after it was discovered it was collecting students’ biometric fingerprint data as a way of verifying whether they had paid for lunch or not.
As VentureBeat notes, biometric data, as defined by the GDPR — “personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person.” — includes fingerprints, iris scans, hand geometry, voice recognition, and facial scans.
According to a statement by Jan Nowak, the president of Poland’s Personal Data Protection Office (UODO), the school — which remains unidentified — collected and processed the fingerprints of hundreds of children “without a legal basis”.
The statement by Nowak also noted the existence of adequate alternative options for the management of school meals, other than biometric processing.
According to the UODO, a biometric fingerprint reader had been used by the school to verify and track which students had paid for their meals since 2015, with 680 children having been processed this academic year and four choosing to use “an alternative identification system.”
The statement notes that those students who did not use biometrics as a form of identification were forced to the end of the lunch line.
“In the opinion of the president of the UODO, such rules introduce unequal treatment of students and their unjustified differentiation, as they clearly favour students with biometric identification,” reads the statement.
It also goes on to say that the use of biometric processing is “significantly disproportionate” to the purpose for which it is being used, and that this system is “not essential for achieving the goal of identifying a child’s entitlement to receive lunch.”
Even though parental consent was obtained in this case, the final decision to penalize the school — which aside from the fine imposed means the school must erase all personal data it has collected and cease the program altogether — referenced numerous articles of GDPR including recital 38, which makes specific provisions protecting children from having their data collected.
“It should be emphasized that children require special protection of personal data, as they may be less aware of the risks, consequences, safeguards, and rights they have in connection with the processing of personal data,” reads the report.
The use of biometrics in schools has been a topic of heavy debate over the last year, with cases both in the U.S. and across the globe garnering much attention.
In August of 2019, a school in Sweden was fined $23,000 under GDPR for conducting a facial recognition pilot project that tracked students’ attendance.
March 9, 2020 – by Tony Bitzionis