Fine for processing students’ fingerprints imposed on a school
The President of the Personal Data Protection Office imposed a fine of PLN 20 000 in connection with the breach consisting in the processing of biometric data of children when using the school canteen.
The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification.
For that breach, an administrative fine was imposed on Primary School No. 2 in Gdansk. In addition, the President of the Personal Data Protection Office (UODO) has ordered the erasure of the personal data processed in the form of digital information on the specific fingerprints of the children and the cessation of any further collection of personal data.
Following an ex officio administrative proceedings, the President of the UODO has established that the school is using a biometric reader at the entrance to the school canteen that identifies the children in order to verify the payment of the meal fee.
The proceedings has shown that the school obtains the data and processes them on the basis of the written consent of the parents or legal guardians. The solution has been in place since 1 April 2015. In the school year 2019/2020, 680 pupils use a biometric reader and four pupils - an alternative identification system.
In this case, it is important to stress that the processing of biometric data is not essential for achieving the goal of identifying a child’s entitlement to receive lunch. The school may carry out the identification by other means that do not interfere so much in the child’s privacy. Moreover, the school makes it possible to use the services of the school canteen not only by means of fingerprints verification, but also electronic cards, or by giving the name and contract number. Thus, in the school, there are alternative forms of identification of the child’s entitlement to receive lunch.
In the fined Primary School No. 2, in accordance with the lunch rules, available on the website of the school’s canteen, students who do not have biometric identification have to wait at the end of the queue until all the students with biometric identification enter the canteen. Once all the students with biometric identification have entered the canteen, the students without biometric identification are allowed to enter, one by one. In the opinion of the President of the UODO, such rules introduce unequal treatment of students and their unjustified differentiation, as they clearly favour students with biometric identification. Moreover, in the authority’s view, the use of biometric data, considering the purpose for which they are processed, is significantly disproportionate.
The President of the UODO, in the grounds of his decision, emphasised that children require special protection of personal data. Moreover, in the present case, the processed data constitute the data of special categories. The biometric system identifies characteristics which are not subject to change, as in the case of dactyloscopic data. Due to the unique and permanent character of biometric data, which means that they cannot change over time, the biometric data should be used with due care. Biometric data are unique in the light of fundamental rights and freedoms and therefore require special protection. Their possible leakage may result in a high risk to the rights and freedoms of natural persons.
The full text of the decision is available (in Polish) at: https://uodo.gov.pl/decyzje/ZSZZS.440.768.2018