Biometric Trust a School and Personal Perspective

• Schools and colleges must comply with the Data Protection Act 1998.

• Where data is used as part of an automated biometric recognition system, additional requirements in sections 26-28 of the Protection of Freedoms Act 2012 apply.

• Parent and child must be notified of the school’s intention to use automated biometric recognition systems.

• Written consent is required from at least one adult for those under the age of 18.

• Schools and colleges must not process biometric data of a pupil under 18 when

  • the child objects verbally or non verbally,

  • no parent has consented

  • a parent has objected in writing, even if another has consented.

• Reasonable alternatives to accessing services must be available for those not using an automatic biometric recognition system.

Personal choice, experience and opinion may add value, or distract. The duties of schools in the Protection of Freedoms Act 2012 and Data Protection Act 1998 are non-negotiable.

The importance of keeping data safe is something we have to consider both at a school and personal level.  I would like to share some perspectives on how this can be done.

The Police provided reassurance and support when I shared a very threatening email I had received demanding money. The identification details of many users had been stolen from the computers of a third party. Fortunately, I had already started to use multiple strong passwords, different for each website, limiting the damage done. I also changed my email address because it was now circulating the dark web.

I currently use multiple-factor login authentication with at least one physical biometric when available.  Biological measurements of physical biometrics such as fingerprint mapping and 3D facial recognition seem a relatively secure and convenient proof of identification. I continue to use strong (128 bit+) individual passwords. These personal choices have not been imposed on me.

I remain subject to automated behavioural biometrics such as typing speed, mouse behaviour, keyword searches and location data. Are online adverts surprisingly tailored to your needs? Extensive real world, as well as virtual world, automated biometric systems can collect and compare personal information without the owner of the identity being aware. I have knowingly and sparingly chosen to use behavioural handwriting to e-sign on a device with a stylus and compatible screen. I strive to choose who I trust with my information.

You can never be too careful with identity information of any type. I moved from some highly effective security software when my trust in the provider terminated. Security software has access to significant digital identity information. Events can change trust over time.

It is easy to assume that someone wanting to retain their biometric data has something concerning to hide. Sadly, those with access to the identity information of others can also be the problem. This may be self-serving and deliberate. It might also result from negligent data control and system failures. I chose to use a Virtual Private Network to help keep my identity hidden online. I could use this to mask inappropriate activity, but actually do so to protect myself from the inappropriate activity of others. 

Many years ago, an indignant insurer contacted me demanding money because my car number plate was involved in an accident at a place I’d never been. Fortunately, my actual car model and colour, together with evidence that I’d attended a governor meeting at the time and date of the accident, got me off the hook. The insurer had not fully checked the accuracy of their limited identity information and had used this to form an inaccurate time saving judgment of liability.

By David Channon