Sweden Issues First GDPR Fine to School Over Use of Facial Recognition Technology to Monitor Attendance
Swedish high school has been fined €19,000 for violations of the EU Data Protection Regulation (GDPR) related to the use of a facial recognition system to monitor student attendance. This is the first GDPR fine to be issued by the Swedish Data Protection Authority (DPA).
The trial was conducted at Anderstorp high school in January, in conjunction with the IT company Tieto. Tieto used a combination of tags, video surveillance, and a facial recognition system to monitor student attendance.
The purpose of the trial was to assess systems that could be used to cut down on the administrative burden on teachers. Under Swedish law, registration is required in every class and schools and reports must be compiled showing each individual’s lesson attendance. According to Tieto, teachers were spending around 17,280 hours each year just marking attendance, which is equivalent to 10 full time jobs. With the new system, teachers could start lessons straightway without having to mark attendance.
The high school in Skellefteå implemented the facial recognition system and conducted a three-week pilot involving 22 students, who were monitored for attendance using the CCTV cameras and the facial recognition system.
While the school claimed to have obtained consent from the students involved in the study, the DPA determined that the consent was invalid as the students were in a dependent position to the board and there was “a clear imbalance between the data subject and the [data] controller.”
The school also failed to consult the DPA prior to running the pilot, did not conduct a full impact assessment, and unlawfully processed the biometric data of students.
The DPA said determining attendance is possible using a variety of methods that are less invasive and do not violate the privacy of students.
The DPA determined that a fine of €19,000 was appropriate, but it could have been far worse. A fine of up to €1 million could have been issued for the GDPR violations.