Essex School Receives Reprimand from ICO

What happened

• In July 2024, Chelmer Valley School in Chelmsford, Essex, introduced facial recognition technology for the purposes of cashless catering
• This meant that a data processor, CRB Cunninghams, was processing biometric data in order to provide this service to the school
• A DPIA (data protection impact assessment) was subsequently completed by the school’s data protection officer as the processing, rightly, was considered to be high risk
• The DPIA was, however, not completed prior to the introduction of the technology
• The school had been relying on assumed consent for facial recognition – except where parents or carers had opted children out of the processing
• Most students would have been considered sufficiently competent to give their own consent, so using the parental ‘opt out’ meant that students were deprived from being able to exercise their rights and freedoms in relation to the processing
• Furthermore, consent must be an affirmative action, so consent on an ‘opt out’ basis was not valid or lawful

Why it matters

• Under Article 35 of UK GDPR, a controller must carry out an assessment (a DPIA) of the impact of the proposed processing operations on the protection of personal data, where this processing is likely to result in a high risk to the rights and freedoms of individuals
• The use of facial recognition technology is usually high risk, so a DPIA should have been completed prior to the processing of the personal data, so that risks were assessed and mitigated where possible
• Article 4(11) of UK GDPR makes it clear that consent requires an affirmative action to be valid and this was not the case with the school’s ‘opt out’ regime
• The school failed to seek advice from their DPO when they introduced the technology and they did not consult with students or parents

Further information

Whenever high risk processing of personal data is involved, a DPIA must be completed

The ICO has provided guidance on how to complete a DPIA at How do we do a DPIA? | ICO

What happened

• The Information Commissioner’s Office (ICO) has issued a reprimand to the Labour Party for repeatedly failing to respond to subject access requests (SARs) on time
• SARs are requests from individuals for information held about them by an organisation
• In November 2022 the Labour Party received 352 SARs
• SARS should usually be responded to within one month, although up to three months can be taken if a request is particularly complex
• 78% of the SARs had not been replied to within the maximum compulsory time limit of three months and over half (56%) were significantly delayed
• The backlog of SARs occurred following a cyber-attack on the Labour Party in October 2021 and this led to more requests being received from the public
• Over 150 complaints were sent to the ICO which highlighted the problem

Why it matters

• Under data protection laws, individuals have the right to ask whether an organisation is holding/using their data and they are also entitled to receive a copy of any personal information held
• They can also ask for an organisation to check that their information is up to date and accurate
• In some cases, individuals can ask for their data to be deleted
• To resolve its SARs backlog, the Labour Party has set out an action plan with appropriate steps
• It has also implemented further measures to improve its response rate in future

Further information

Information about individuals’ right of access can be found at Right of access | ICO

What happened

• The ICO recently issued a fine of £6.09m to Advanced Computer Software Group Ltd
• This is the first instance in the UK where the ICO has pursued a data processor for a breach under data protection laws
• Will this be a one off, or will other UK software vendors be worried?
• Advanced provides IT and software services to organisations across the UK including NHS Trusts and healthcare providers
• Advanced was hit by a ransomware attack in August 2022 and this meant the personal data of 82,496 individuals was compromised. There was also a disruption to critical services (e.g. NHS 111)
• The ICO investigated and Advanced was found to have breached Article 32 of UK GDPR for failing to implement appropriate technical and organisational measures to ensure the security of the data
• Processors are required to assess and mitigate risks, which means checking for vulnerabilities, implementing multi factor authentication and ensuring the latest patches are run
• When GDPR was introduced, in 2018, there was a concern whether processors such as software vendors would be directly liable, as this had not been the case under the previous legislation
• However, GDPR breach related fines have mostly been directed at data controllers rather than processors – even though these breaches have often been caused by controllers’ third party software vendors
• This is the first decision relating to a processor

Why it matters

• It was the absence of multi factor authentication on individuals’ accounts, that led to the attack on Advanced’s systems
• Although it is the data controller that determines how and why data is used by a processor, and the processor must act only on documented instructions of the controller, data processors have their own obligations
• One of these is that they must implement appropriate technical and organisational measures to ensure the security of personal data; this was not fulfilled by Advanced
• The Advanced decision is notable as it is the first of its kind and it will be interesting to see whether the ICO targets processors going forwards.
• Data Processors that process large volumes of sensitive client data will be watching carefully over the next months/years to see what the ICO does next.

Further information

The ICO has provided guidance on the contracts and liabilities between controllers and processors at Contracts and liabilities between controllers and processors | ICO