On the Blue Blog an article talks about fingerprinting and biometric collection in schools. The collection is used to then manage a number of services for pupils including catering and library usage. There was quite a lot of commentary about this in 2007, so it’s not particularly new, but it still goes on.
I’d agree that this type of tracking of individuals is excessive and unnecessary. I’d add that it’s probably not cost effective, given the supposed reasons from the defences in the comments.
Online and media discussion of the topic ranges from the rabid conspiracy theorist seeing this as a method to indoctrinate children to the database state to a more rational objection to the human rights aspect. I’m not a big fan of any conspiracy theory, particularly where it crosses boundaries in government departments. I’d take the view that the ”human rights” argument is specious, although there are issues around compliance with the Data Protection Act. My objection to this is that it’s a waste of money, and it depletes the available resource that should be used for education.
Some defences of these practices are that they improve tracking, and reduce the theft of assets such as library books. My view is that if enough assets are being stolen to justify the cost of this equipment then there is a fairly serious problem in the school anyway, and fashionable electronics aren’t the solution. The other defence presented is that ”they aren’t that effective anyway”, which begs the question, what is the point…?
The DPA applies when uniquely identifiable information about the individual is collected. In the case of biometrics the data retained is rarely enough to replicate the actual feature, it’s usually a record of the feature passed through some form of encryption or hashing algorithm. Hacking the system to get the hash isn’t going to be all that beneficial, however if the underlying system can be hacked then the business purpose that the biometric identification assures is compromised. The biometric assurance is useless and a simpler, lower cost solution would be better. Notwithstanding that there are eight principles in applying the DPA, of which I think the relevant ones here are;
- Does the collection have a clear business purpose?
- Is the collection proportionate?
- Can the data be adequately secured?
- Can the individual gain access to their records and have them amended if necessary?
The most important here is probably proportionality. Does the collection of biometric information actually deliver benefit, or could the purpose be achieved in other ways? This should be explored in the business case for the procurement of the system, leading to the ”business purpose” point. Why are schools investing in this technology and why is there so little rigour attached to their investment appraisal?
The points about adequate security and the ability of the subject to have the record amended is more relevant to the whole information system in the school, not just the biometric element of the record. The weak case for implementation suggests that the case for adequate security of the whole system will also be weak, so there are clear risks there. The point that it’s not all that effective leads to concerns about how reliable any subject access request might be though.
Privacy and identity are important issues, government is supposed to serve the citizen, not the other way round. It concerns me that schools are both wasting money on this system, money that should be spent on education, and that individual identity is so casually compromised.