Scottish schools’ canteen facial recognition ‘likely infringed’ GDPR: ICO
Tactical problems and some strategic oversights are blunting any help that a biometric app can offer for asylum seekers hoping to transit the U.S. southern border.
The mobile app is CBP One, created by the U.S. Customs and Border Protection agency. It was launched in 2020 to speed legitimate land crossings by front-loading the data-gathering tasks involved in deciding migration cases.
The government recently added a scheduling function to CBP One, enabling asylum applicants to get a time reserved to cross the border. It was seen as a way to thin the crowds at border posts, increase migrant safety and expedite requests.
President Joe Biden, who is desperate to neutralize immigration as an issue, sees AI algorithms, machine vision and big data as a politically moderate option for securing the border.
Rather than positive coverage, the Department of Homeland Security, parent of Customs and Border Protection, has gotten articles alleging balky, and in some cases, biased software.
One of the biggest oversights inherent in the app is that it is no good to an asylum seeker without a phone, a local service provider or reliable Wi-Fi and network coverage.
Customs and Border Protection reportedly told the news staff at CBS8, the San Diego CBS News affiliate, that they are fixing problems. But, the agency said, migrants need to give the app access to their phone’s location services.
That could be a high hurdle for the app because many people seeking asylum anywhere are fleeing government persecution. They are leery of any government being able to locate them. And yet scheduling a border crossing and a staff meeting right now requires sharing one’s location.
Another strategic misstep: CBP One only supports English and Spanish languages. Haitians typically speak French and Brazilians speak Portuguese, for instance.
Technical problems continue to gum up the works, too.
Radio journalists with the syndicated program Marketplace say some people who are not middle-aged, cis white males are A letter from the Information Commissioner’s Office (ICO), the UK data protection authority, has told North Ayrshire Council (NAC) that its use of facial recognition for lunch payments in nine schools “is likely to have infringed data protection law under the following Articles of the UK GDPR.”
The 16-page letter (PDF) will likely come as a warning to other schools and councils to think whether it would ever be worth using the face biometrics of children as a way for them to pay for lunch.
In October 2021 more than 2,000 pupils at nine schools in North Ayrshire were enrolled to pay for their lunches by presenting themselves in front of a camera operated by staff at the till. The system, installed by CRB Cunninghams, matched the child against the photos registered, and deducted the day’s spending from their account.
It was short lived: the system also led to controversy over data protection.
The ICO responded rapidly and the council told Biometric Update it deleted all the data immediately in the autumn of 2021. NAC was highly responsive and cooperative throughout, notes the ICO. The resulting investigation and correspondence provide a valuable insight into what an investigation of this kind involves and how organizations such as local councils are ill-prepared for the task of capturing, processing and retaining personal data.
Accordingly, the ICO has written it up as a case study on its website. The situation has already been studied internationally.
Transparency, consent and DPIAs
The ICO letter lists the articles of UK GDPR that were potentially breached. For the requirement to be ‘Lawful, Fair, and Transparent’ it finds “NAC were unable to demonstrate that there was a valid lawful basis for the processing.” For the ‘Right to be Informed’ the ICO found that while NAC had communicated with children and parents, it had likely not done enough, especially in making the privacy implications clear and understandable to children.
The council keeping personal data “for as long as necessary” and for five years after a child has left the school or by their 23rd birthday (whichever is later) did not wash with the ICO’s reading of UK GDPR article on ‘Retention’ and was perhaps the most baffling part of the whole issue.
For Data Protection Impact Assessment (DPIA), it was incorrect and had not been signed off by the Data Protection Officer (DPO) nor a senior member of NAC prior to the start of biometric data processing.
“Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason,” the ICO advised the council. “In particular, you cannot usually swap from consent to a different basis.”
The fact that the project concerned children is significant in all countries of the UK, even if the law differs slightly from Scotland and Northern Ireland to England and Wales.
“Recital 38 of the UK GDPR makes clear that children are to receive specific protection when processing their personal data as ‘they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data,’” states the letter.
Insufficient information was provided to children and parents for them to be able to consent.
Signed by Ken Macdonald, head of ICO Regions, the letter states that this “correspondence and any response received do not prejudice the potential future use of the Commissioner’s enforcement.”
A spokesperson for North Ayrshire Council told Biometric Update in an email: “We welcome the clarity which has now been received from the Information Commissioner’s Office. Following the initial interest of the Commissioner’s Office in October 2021, we immediately ceased use of the facial recognition system and thereafter deleted all biometric data.”
Article Topicshaving problems with facial recognition enrollment. They say they have also found that the app crashes often.
