To fingerprint or not
The debate about whether schools need permission to collect biometric data from students has been growing for some time. Unfortunately there is no reliable data about exactly how many students have had their biometric data stored by schools and the companies who supply the technology, but it is likely that data has been collected from more than 3m students (The Independent claim this could be 6m). CRB Solutions claim over 1m students in 900 schools use its cashless catering system every day; most data is collected by software used for class registration, security/access control, library management and school meals.
Understandably, there has been a reaction from parents who object to their children’s data being collected, and this has prompted the DfES to announce that it is publishing ‘guidelines’. In reality, no matter how extensive their consultation all the DfES can really do is suggest that schools seek parental permission before capturing and storing biometric data. This issue seems to have bipartisan political support with Shadow Education Secretaries Sarah Teather (Liberal Democrats) and Nick Gibb (Conservatives) condemning the practice in an interview broadcast on Teacher’s TV.
In another failure of the idea of joined-up-government, all the DfES really needed to do was look at existing advice about the Data Protection Act from the Office of the Information Commissioner. On the Micro Librarian Systems website it says, ‘We have received letters from both the Information Commissioner and the DfES confirming that they have no data protection concerns as a result of using this technology in school libraries’.
As previously reported, a group of parents who call themselves ‘Leave Them Kids Alone’ (LTKA), are looking to bring a test case against schools and the DfES, claiming that obtaining and storing biometric data from students contravenes the Human Rights Act and the Children Act 2004. LTKA, which was set up by parent David Clouter, seems able to get media coverage and wants a ‘campaigning paper to take up the case, which has enormous emotive appeal’. They also say that they have taken opinions from leading QCs and barristers about this issue. However, their ability to bring a well-resourced test case is uncertain and before they embark they may need another opinion from their learned friends as to whether their name, which is identical to the fourth line of Pink Floyd’s song Another Brick in the Wall, might itself be actionable under the tort of Passing Off?
What LTKA and some parents seem to worry about is that their progeny’s dabs will be in ‘the system’, but what are stored are not the actual fingerprints, but identity markers from fingerprints that are then converted to algorithms. These are then protected by encryption (120 bit) within the various systems.
While this sounds secure, is it? If educational authorities really want good biometric security they could use iris scans, but as the UK Passport Office found out, these systems are simply too expensive.
That leaves fingerprints, which most people assume don’t change much, but they do. Children’s fingerprints change as they grow, and only the most sophisticated and expensive systems can overcome this issue. Less expensive systems, like those used in schools, are simply less secure and the 120 bit encryption systems currently in use will soon be inadequate to protect sensitive data.
High security may not be a problem when borrowing books or managing school meals, but imagine what might happen from a child protection perspective if a database of children’s biometric information was compromised? Not only would this be an immediate risk to students and their families, there may also be serious long-term identify theft issues. Baroness Walmsley (Lib Dem) claims fingerprinting students will actually lead to identity theft, although this assertion is contrary to the fact that international criminal gangs increasingly target educational institutions (in both the UK and US) precisely because their IT systems are so poor at protecting student identities.
Identity management systems are necessary in schools, without them the whole concept of integrated child protection under the Children Act would be moot. Parents and educators need to recognise the benefits of biometric identity systems, which have existed since the 1970s when the University of Georgia installed them in its dining facilities. Rather than relying on the DfES and perceived gaps in the legal rights of students, biometric suppliers need to adopt a far more proactive and sustained approach to engaging their critics, particularly at a political level. Having Lord Adonis on side may be helpful, but as a Blairite, his days at the DfES may be numbered.