The Swedish Data Inspection Authority said it has imposed its first penalty for breach of GDPR, to a school in Skelleftea that had been trialling facial recognition to register pupil attendance.
August 21, 2019
The Swedish Data Inspection Authority said it has imposed its first penalty for breach of GDPR, to a school in Skelleftea that had been trialing facial recognition to register pupil attendance. While they scrutinized the three-week pilot 22 pupils, they found that the school board’s handling of personal information did not comply with GDPR. As a result, the fine amounts to SEK 200,000.
The maximum penalty that the authority could impose for non respect of the GDPR is SEK 10 million. Actually, the data Inspection Authority lawyer Ranja Bunni said the school had claimed the pupils had consented to participate in the trial. However, this was not acceptable because the pupils were in a dependent position to the board.
According to the Authority, there was an intrusion of their privacy. Indeed, the pilot involved camera surveillance of pupils in their everyday environment. Furthermore, it said ascertaining attendance can be done in other ways, which are less invasive than the facial recognition.
In January, IT company Tieto said it was trialing pupil registration via tags, smartphone applications and facial recognition software, at Anderstorp high school. Teachers there spend 17,280 hours per year marking attendance. In Sweden, this must be done for each individual lesson under Swedish legislation. As a result, this was equivalent to ten full-time jobs, claimed Tieto.