On 22 July 2024, the ICO issued a reprimand to Chelmer Valley High School for failing to carry out a data protection impact assessment (DPIA) prior to processing biometric data, via facial recognition, in introducing a cashless catering system.
The system was operated on assumed consent save where parents/carers had opted children out of the processing.
The school had failed to consult their DPO prior to implementing the system, something which the ICO mentioned in its recommendations, advising the school that they should engage more closely and in a timely fashion with their DPO when considering new projects or operations processing personal data, and document their advice and any changes to the processing that are made as a result.
The full reprimand can be found here.
If you need assistance with a specific DPIA or you would like advice on how to ensure your organisation undertakes DPIAs when they are needed, please get in touch with your usual contact or email hello@hellodpo.com