Skip to content ↓
Report a Concern
Contact Us
XFacebook
Report a Concern
Contact Us
XFacebook

Biometrics Policy

Biometrics Policy

Approved by the Trust Board on 3 October 2024

Applicable from 4 October 2024

This document represents a Trust-wide approach which is approved by the Trust Board for use in the Trust’s academies that use biometric data.

Where an academy is using biometric data, they are required to add themselves to the Trust’s Central Register for academies collecting and processing biometric data.

V2

Co-op Academies Trust

Biometrics Policy

This document will be reviewed annually, or sooner when significant changes are made to the law.

Version Number

Amendments

V2 (issued September 2024)

Added paragraph to detail the lawful

basis for processing biometric data,

data retention policies and breach

procedures.

Re-written paragraph to clarify consent

requirements

Co-op Academies Trust Biometrics Policy

Contents

1.

Introduction

4

2.

What is biometric data and how is it processed?

4

3.

Legal Framework

5

4.

Roles and Responsibilities

5

5.

Data Protection Impact Assessments (DPIAs)

6

6.

Lawful Basis for Processing Biometric Data

6

7.

Consent Requirements

7

7.1. Staff and other adults

7

7.2. Pupils

7

8.

Alternative arrangements

8

9.

Data retention

9

10. Breaches

9

11. Additional uses of biometric data

9

12. Monitoring and review

9

Appendix 1:

Parental notifcation and consent form for the use of biometric data

10

Appendix 2:

Consent Form for the Use of Biometric Information (Pupil)

12

Appendix 3:

Notifcation and consent form for the use of biometric data (Staff/Other) 13

Appendix 4:

Consent Form for the Use of Biometric Information (Staff/Other)

15

Co-op Academies Trust Biometrics Policy

  1. Introduction

1.1.        In order to support the achievement and learning of our pupils, the Co-op Academies Trust collects and processes personal data about our staff, pupils, parents and other individuals who come into contact with our Trust and our academies.

1.2.        Biometric data is considered to be special category data - data which

the law deems to be more sensitive and therefore needs more protection.

1.3.        This policy is intended to ensure that where we collect biometric data, that we do so in accordance with relevant legislation and guidance to ensure the data and the rights of the individual are protected

1.4.        This policy outlines the processes the Trust and each of our academies follow when collecting and processing biometric data.

  1. What is biometric data and how is it processed?

2.1.        Biometric data is personal information about an individual’s physical or behavioural characteristics that can be used to identify that person, including their fngerprints, facial shape, retina and iris patterns, and hand measurements.

2.2.        Some of our academies may use an automated biometric recognition system. This is a system which measures an individual’s physical or behavioural characteristics by using equipment that operates ‘automatically’ (i.e. electronically). Information from the individual is automatically compared with biometric information stored in the system to see if there is a match in order to recognise or identify the individual.

2.3.        Processing biometric data includes obtaining, recording or holding the data or carrying out any operation on the data including disclosing it, deleting it, organising it or altering it. An automated biometric recognition system processes data when:

  • Recording pupils’ biometric data, e.g. taking measurements from a fngerprint via a fngerprint scanner.
  • Storing pupils’ biometric information on a database.

  • Using pupils’ biometric data as part of an electronic process, e.g. by comparing it with biometric information stored on a database to identify or recognise pupils.

2.4.        Many of our academies will use an automated biometric recognition system to record and hold information regarding fngerprints that can then be used by individuals to access certain parts of the building, or to obtain school lunches.

  1. Legal Framework

3.1.        This policy has due regard to all relevant legislation and guidance including, but not limited to, the following:

  • Protection of Freedoms Act 2012

  • Data Protection Act 2018

  • The UK General Data Protection Regulation (UK GDPR)

  • Department for Education (DfE) (2018) Protection of biometric information of children in schools and colleges

3.2.        This policy operates in conjunction with the following Trust policies:

  • Data Protection Policy

  • Data Retention Policy

  • Data Breach Policy

  1. Roles and Responsibilities

4.1.        The Trust Board is responsible for reviewing this policy on an annual basis.

4.2.        The Headteacher/Head of School in each academy is responsible for ensuring the provisions in this policy are implemented consistently.

4.3.        The Data Protection Ambassador in each academy is responsible for monitoring the academy’s compliance with this policy and the data protection legislation in regard to the use of biometric data. The Data Protection Ambassador will also act as the frst point of contact for data subjects to address any queries or concerns regarding the collection and processing of their data.

4.4.        The statutory role of Data Protection Offcer is undertaken by the Head of Data Protection. The Head of Data Protection is responsible for advising the Data Protection Ambassadors on when it may be necessary to undertake a data protection impact assessment (DPIA) in

relation to the academy’s biometric system(s) and for being the frst point of contact for the Information Commissioner's Offce (ICO).

  1. Data Protection Impact Assessments (DPIAs)

5.1.        Where an academy is seeking to process biometric data or implement a system that involves processing biometric data, they must consult the Head of Data Protection and a DPIA must be carried out.

5.2.        The Head of Data Protection will support the Data Protection Ambassador to conduct the DPIA to:

  • Assess the nature, scope, context and purposes of processing

  • Assess necessity, proportionality and compliance measures

  • Identify and assess risks to individuals

  • Identify any additional controls that may need to be applied to mitigate those risks.

5.3.        When assessing levels of risk, the likelihood and the severity of any impact on individuals will be considered. If a high risk is identifed that cannot be mitigated by additional and reasonable controls, the Head of Data Protection will consult the ICO before the processing of biometric data takes place.

5.4.        The ICO will provide the Head of Data Protection with a written response and the academy must then adhere to any advice provided in response.

  1. Lawful Basis for Processing Biometric Data

6.1.        Biometric data is classifed as Special Category Data under the UK GDPR and the Data protection Act 2018. Therefore, a lawful basis for processing under Article 9 of the UK GDPR must be identifed, in addition to a lawful basis under Article 6 of the UK GDPR.

6.2.        The lawful basis for processing biometric data in our academies is Explicit Consent (Article 9(2)(a)).

6.3.        The requirement for consent for processing children’s biometric information is also imposed by Section 25 of the Protection of Freedoms Act 2012.

  1. Consent Requirements

Our academies are obliged to obtain consent for the processing of any biometric information, whether for adults or children

7.1.        Staff and other adults

7.1.1.        Consent will be sought from staff members or other adults prior to the processing of their biometric data.

7.1.2.        Staff and other adults can object to the collection of their biometric data and can withdraw their consent at any time. If consent is withdrawn any biometric data relating to the individual that has already been captured will be deleted.

7.2.        Pupils

7.2.1.        Written consent will be sought from at least one parent of any child or young person under the age of 18.

7.2.2.        The name and contact details of the pupil’s parents will be taken from the admissions register.

7.2.3.        Where the name of only one parent is included on the admissions register, the Headteacher / Head of Academy will consider whether any reasonable steps can or should be taken to ascertain the details of the other parent.

7.2.4.        The academy does not need to notify a particular parent or seek their consent if it is satisfed that:

The parent cannot be found, e.g. their whereabouts or identity is not known.

The parent lacks the mental capacity to object or consent.

The welfare of the pupil requires that a particular parent is not contacted, e.g. where a pupil has been separated from an abusive parent who must not be informed of the pupil’s whereabouts.

It is otherwise not reasonably practicable for a particular parent to be notifed or for their consent to be obtained.

7.2.5.   Consent given by one parent will be overridden if the other parent objects in writing to the use of their child’s biometric

information. Objections should be addressed to the Headteacher or Head of School.

7.2.6.        For looked after pupils, the Local Authority will be notifed and notifcation will also be sent to all those caring for the pupil. Written consent will be obtained from at least one carer before the pupil’s biometric data can be processed.

7.2.7.        Even if a parent consents, the pupil themselves may object to the processing of their biometric data or refuse to cooperate with the biometric data collection or use. The pupil’s objection/refusal takes precedent over the parents’ consent.

7.2.8.        If a pupil objects or refuses to participate, or to continue to participate, in activities that involve the processing of their biometric data, the academy will ensure that the pupil’s biometric data is not taken or used as part of a biometric recognition system, irrespective of any consent given by the pupil’s parent(s).

7.2.9.        Parents and pupils can object to participation in the academy's biometric system(s) or withdraw their consent at any time. Where this happens, any biometric data relating to the pupil that has already been captured will be deleted.

7.2.10.   Pupils will be informed, in writing, that they can object or refuse to allow their biometric data to be collected and used.

  1. Alternative arrangements

8.1.        Parents, pupils, staff members and other relevant adults have the right to not take part in the academy’s biometric system(s).

8.2.        Where an individual objects to taking part in the academy’s biometric system(s), reasonable alternative arrangements will be provided that allow the individual to access the relevant service. for example, where a biometric system uses a pupil's fngerprints to pay for school meals, the pupil will be able to use an alternative method of identifcation for the transaction instead.

8.3.        Alternative arrangements will not put the individual at any disadvantage or create diffculty in accessing the relevant service or result in any additional burden being placed on the individual (and the pupil’s parents, where relevant).

  1. Data retention

9.1.        Biometric data will be managed and retained in line with the Trust’s Data Retention Policy.

9.2.        If an individual (or a pupil’s parent, where relevant) withdraws their consent for their/their child’s biometric data to be processed, it will be deleted from the academy’s system.

  1. Breaches

10.1.        There are appropriate and robust security measures in place to protect the biometric data held by each academy.

10.2.        Any breach to the school’s biometric system(s) will be dealt with in accordance with the Data Breach Policy.

  1. Additional uses of biometric data

11.1.        In the event that an additional system is proposed which makes a new use of biometric data belonging to a data subject, a Data Protection Impact Assessment (DPIA) will be carried out.

11.2.        If a major change is made to an existing system using biometric data, for example a change in the supplier of a cashless catering system, a DPIA will be carried out.

11.3.        The Head of Data Protection must be consulted when a DPIA is undertaken.

  1. Monitoring and review

12.1        The Trust Board will review this policy on an annual basis.

Appendix 1: Parental notifcation and consent form for the use of biometric data

Dear [parent]

Re: Notifcation of intention to process pupils’ biometric information and consent form

Co-op Academy Swinton wishes to use information about your child as part of an automated (i.e. electronically operated) recognition system. This is for the purposes of accessing catering via the fingerprint recognition at the tills. The information from your child that we wish to use is referred to as ‘biometric information’ (see next paragraph). Under the Protection of Freedoms Act 2012 (sections 26 to 28), we are required to notify each parent of a child and obtain the written consent of at least one parent before being able to use a child’s biometric information for an automated system.

Biometric information and how it will be used

Biometric information is information about a person that can be used to identify them, for example, information from their fngerprint. The academy would like to take and use information from your child’s fngerprint and use this information for the purpose of providing your child with fingerprint recognition at the tills.

The information will be used as part of an automated biometric recognition system. This system will take measurements of your child’s fngerprint and convert these measurements into a template to be stored on the system. An image of your child’s fngerprint is not stored. The template (ie. measurements taken from your child’s fngerprint) is what will be used to permit your child to access services.

You should note that the law places specifc requirements on schools when using personal information, such as biometric information, about pupils for the purposes of an automated biometric recognition system. For example:

  • The academy cannot use the information for any purpose other than those for which it was originally obtained and made known to the parents.

  • The academy must ensure that the information is stored securely.

  • The academy must tell you what it intends to do with the information.

  • Unless the law allows it, the academy cannot disclose personal information to another person/body.

Providing your consent / objecting to the use of biometric data

In order to be able to use your child’s biometric information, the written consent of at least one parent is required. However, consent given by one parent will be overridden if the other parent objects in writing to the use of their child’s biometric information. Similarly, if your child objects to this, the academy must not collect or use their biometric information for inclusion on the automated recognition system. You can also object to the proposed processing of your child’s biometric information at a later stage or withdraw any consent you have previously given. This means that, if you give consent but later change your mind, you can withdraw this consent.

Please note that any consent, withdrawal of consent or objection from a parent must be in writing. Even if you have consented, your child can object or refuse at any time to their biometric information being taken/used. Your child’s objection does not need to be in writing. We would appreciate it if you could discuss this with your child and explain to them that they can object to this if they wish. The academy is also happy to answer any questions you or your child may have. If you do not wish your child’s biometric information to be processed by the academy, or your child objects to such processing, the law says that we must provide reasonable alternative arrangements for children who are not going to use the automated system to be able to purchase food and drink.

If you give consent to the processing of your child’s biometric information, please sign, date and return the enclosed consent form to the academy. Please note that when your child leaves the academy, or if for some other reason they cease to use the biometric system, their biometric data will be securely deleted.

Yours sincerely

Appendix 2: Consent Form for the Use of Biometric Information (Pupil)

Please complete this form if you consent to the academy taking and using information from your child’s fingerprint by Coop Academy Swinton as part of an automated biometric recognition system. This biometric information will be used by Coop Academy Swinton for the purpose of fingerprint recognition for the cashless catering system.

In signing this form, you are authorising the academy to use your child’s biometric information for this purpose until they either leave the academy or cease to use the system. If you wish to withdraw your consent at any time, this must be done so in writing and sent to the academy at the following address:

Coop Academy Swinton

Sefton Road

Pendlebury

Salford

M27 6JU

Once your child ceases to use the biometric recognition system, his/her biometric information will be securely deleted by the academy.

-------------------------------------------------------------------------------------------------------

Having read information provided to me by [Coop Academy Swinton], I give consent to information from the fngerprint of my child:

[name of child]

being taken and used by [Co-op Academy Swinton] for use as part of an automated biometric recognition system for the fingerprint recognition in the canteen

I understand that I can withdraw this consent at any time in writing.

Name of parent:___________________________________ ___________________

Signature: ___________________________________________________________

Date:_____________________________

Please return this form to your Head of Year

Appendix 3: Notification and consent form for the use of biometric data (Staff/Other)

Dear [xxx]

Re: Notifcation of intention to process your biometric information and consent form

Coop Academy Swinton wishes to use information about you as part of an automated (i.e. electronically operated) recognition system. This is for the purposes of fingerprint recognition for the cashless catering system in the canteen. The information from you that we wish to use is referred to as ‘biometric information’ (see next paragraph). Under the General Data Protection Regulations (GDPR) we are required to seek your explicit consent before being able to use your biometric information for an automated system.

Biometric information and how it will be used

Biometric information is information about a person that can be used to identify them, for example, information from their fngerprint. The academy would like to take and use information from your fngerprint and use this information for the purpose of providing you with being able to access the cashless catering system.

The information will be used as part of an automated biometric recognition system. This system will take measurements of your fngerprint and convert these measurements into a template to be stored on the system. An image of your fngerprint is not stored. The template (ie. measurements taken from your fngerprint) is what will be used to permit you to access services.

You should note that the law places specifc requirements on schools when using personal information, such as biometric information, for the purposes of an automated biometric recognition system. For example:

  • The academy cannot use the information for any purpose other than those for which it was originally obtained and made known to you.

  • The academy must ensure that the information is stored securely.

  • The academy must tell you what it intends to do with the information.

  • Unless the law allows it, the academy cannot disclose personal information to another person/body

13

Providing your consent / objecting to the use of biometric data

In order to be able to use your biometric information, we require your written consent. You can also object to the proposed processing of your biometric information at a later stage or withdraw any consent you have previously given. This means that, if you give consent but later change your mind, you can withdraw this consent.

Please note that any consent, withdrawal of consent or objection from you must be in writing.

If you do not wish your biometric information to be processed by the academy, the law says that we must provide reasonable alternative arrangements to enable you to still access the cashless catering system

The academy is happy to answer any questions you may have.

If you give consent to the processing of your biometric information, please sign, date and return the enclosed consent form to the academy. Please note that when you leave the academy, or if for some other reason you cease to use the biometric system, your biometric data will be securely deleted.

Yours sincerely

14

Appendix 4: Consent Form for the Use of Biometric Information (Staff/Other)

Please complete this form if you consent to the academy taking and using information from your fngerprint by Coop Academy Swinton as part of an automated biometric recognition system. This biometric information will be used by Coop Academy Swinton for the purpose of cashless catering

In signing this form, you are authorising the academy to use your biometric information for this purpose until you either leave the academy or cease to use the system. If you wish to withdraw your consent at any time, this must be done so in writing and sent to the academy at the following address:

     Coop Academy Swinton

     Sefton Road

     Pendlebury

     Salford

     M27 6JU

Once you cease to use the biometric recognition system, your biometric information will be securely deleted by the academy.

-------------------------------------------------------------------------------------------------------

Having read information provided to me by Coop Academy Swinton, I give consent to information from my fngerprint being taken and used by Coop Academy Swinton for use as part of an automated biometric recognition system for the cashless catering system

I understand that I can withdraw this consent at any time in writing.

Name:___________________________________ ___________________

Signature: ___________________________________________________________

Date:_____________________________

Please return this form to Hannah Murphy

15

Cookie Policy