GDPR Reprimand: Chelmer Valley High School and the Lessons for Education
The Information Commissioner’s Office (ICO) has issued a reprimand to Chelmer Valley High School (22/07/2024) after it was found to have breached the UK General Data Protection Regulation (UK GDPR). The case centres on the school’s introduction of facial recognition technology in its cashless catering system between March and November 2023, where key legal obligations were not met.
This decision is a clear signal to the wider education sector: when it comes to processing biometric data, especially involving children, compliance cannot be an afterthought.
Why were they reprimanded
The ICO identified several failings that led to the reprimand:
1. No Data Protection Impact Assessment (DPIA)
Chelmer Valley High School introduced facial recognition without first conducting a DPIA. Under Article 35(1) UK GDPR, this is mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”. Biometric data, particularly in relation to children, clearly falls into this category.
Without a DPIA, the risks were not assessed, consent was not properly considered, and students were unable to exercise their rights.
2. Invalid Consent for Biometric Data
The school relied on “assumed consent”, using an opt-out system for parents and carers. However, consent under UK GDPR requires a positive, informed, opt-in action. The ICO also pointed out that many students were capable of giving their own consent, which they were denied the opportunity to do.
3. Lack of DPO and Stakeholder Consultation
The school failed to involve its Data Protection Officer (DPO) in the decision-making process. Nor were parents and students consulted before the system was introduced. According to the ICO, engaging the DPO early could have prevented many of the compliance issues.
4. High-Risk Use of Biometric Data
Biometric data is sensitive by nature. Chelmer Valley High School had used fingerprint recognition since 2016, but the move to facial recognition heightened risks. Introducing such technology without safeguards put the school on a direct collision course with data protection requirements.
What the School Has Done Since?
After being reprimanded, the school has taken steps to address its failings:
Completing a DPIA in November 2023.
Switching to explicit, opt-in consent from students.
The ICO acknowledged these efforts but noted they came too late to prevent the breaches.
The ICO's recommendation
To prevent similar issues in future, the ICO has advised the school to:
Always conduct a DPIA before high-risk processing or major system changes.
Amend its current DPIA to consider proportionality, necessity, and risks such as bias or discrimination.
Follow ICO guidance on facial recognition in schools.
Update privacy notices to ensure students fully understand their rights.
Involve the DPO from the outset of projects involving personal data and record their advice.
What does this mean for other schools?
While this reprimand was directed at Chelmer Valley High School, the lessons are sector-wide:
DPIAs are non-negotiable. They must be carried out before—not after—new technology is introduced.
Consent must be valid. Opt-out models do not meet GDPR standards, especially for biometric data.
Students’ rights must come first. Where pupils are competent to consent, their autonomy cannot be overridden.
DPOs are key. Their role is not symbolic; they must be consulted on all data protection matters.
Conclusion
Chelmer Valley High School’s reprimand highlights the risks of rushing into new technologies without due diligence. The ICO’s message is clear: schools must prioritise compliance, ensure lawful processing, and protect the rights of their students.
For educational institutions considering similar innovations, this case serves as a timely reminder that compliance must be proactive, not reactive.