UKMy child's school is using facial recognition. Is this lawful?
Schools in the UK can only lawfully use facial recognition if it is necessary, proportionate, and compliant with data protection law — including conducting a Data Protection Impact Assessment and obtaining lawful basis under UK GDPR.
What the Law Says
The use of facial recognition technology (FRT) by schools in the UK is tightly regulated under data protection law. Because FRT processes biometric data — a special category of personal data — schools must meet strict legal conditions.
Under the UK General Data Protection Regulation (UK GDPR), biometric data (including facial images used for identification) is classified as 'special category data' under Article 9. Processing such data is prohibited unless both a lawful basis under Article 6 *and* a separate condition under Article 9 are satisfied.
Schools must also comply with the Data Protection Act 2018, which supplements UK GDPR. Section 6(1) requires that processing be fair, lawful, and transparent, and Section 64 mandates a Data Protection Impact Assessment (DPIA) where processing is likely to result in high risk to individuals’ rights — which FRT almost always is.
The Information Commissioner’s Office (ICO) has made clear that using FRT in schools without a DPIA, proper transparency, or a compelling justification is unlawful — especially given children’s heightened vulnerability.
Statutory TextProcessing of personal data shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent…
— UK GDPR, Art. 6(1) — Lawfulness of processing
Statutory TextProcessing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person… is prohibited.
— UK GDPR, Art. 9(1) — Processing of special categories of personal data
Statutory TextThe controller shall, prior to any processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
— UK GDPR, Art. 35(1) — Data protection impact assessment
What Courts Have Said
No UK court has yet issued a binding judgment specifically on facial recognition in schools. However, regulatory enforcement actions and tribunal rulings on related biometric processing provide strong guidance.
The Court held that South Wales Police’s use of live facial recognition breached UK GDPR, human rights law, and common law because it lacked a clear legal basis and sufficient safeguards — setting precedent for public bodies, including schools.
What to Do
Ask the school in writing for their Data Protection Impact Assessment (DPIA) and lawful basis documentation.
Check whether they’ve published a privacy notice explaining how and why they use facial recognition — especially for children.
Raise concerns with the school’s Data Protection Officer (DPO) or governing body.
Complain to the Information Commissioner’s Office (ICO) if the school refuses to provide evidence of compliance.
Seek advice from organisations like Parentkind or the ICO’s dedicated education guidance page.
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.