Some people have questioned the role of encryption and whether this can offer the safety required to secure students' data collected in schools, by ensuring that hackers cannot reverse engineer a password or key. But we must take into consideration that a child's biometric data must be secure for their lifetime—so, six to eight decades—and it is impossible to say under our current system that a child's biometric data can be secure for the next 70-plus years. The Home Office and police can actually do this now.

Under the General Data Protection Regulation, students’ data should be deleted when they leave school, but students returning to their schools after graduating have realised that biometric systems still recognise their fingerprints in many cases.

So, what have we done in Wales so far? Back in 2021, I reached out to the Welsh Government, who were unaware that schools were using this technology or who was selling the technology to our schools. In response, Welsh Government Minister for Education Jeremy Miles worked with schools and young people to clarify non-statutory guidance for schools in Wales, and that there are no circumstances in which a school or college can lawfully process a learner's biometric data without having notified each parent of a child and received the necessary consent. The Welsh Government also went further and produced a child-friendly version as a tool for young people to understand how their data is collected, their right to consent, and, crucially, their right to say no. It was great to introduce this at Bryntirion Comprehensive School in Bridgend, along with our education Minister, and I really do appreciate this proactive and collaborative approach to clarifying the guidance. However, this was only ever going to be a sticking plaster in anticipation of what is a very necessary and urgent wider conversation that needs to be had in this Chamber and in our communities, which is what I hope we can start today. Because a Survation poll conducted in 2018 on behalf of Defend Digital Me, a campaign group on children's rights and privacy, found that, of parents across England whose children's schools were using biometric technology, 38 per cent said they had not been offered any choice, and over 50 per cent had not been informed how long the fingerprints or other biometric data would be retained for, or when they will be destroyed. We do not have any equivalent studies here in Wales.

Defend Digital Me has also found examples of schools where the use of biometric technologies is mandatory for all pupils, or where pupils who qualify for free school meals have to use a biometric system in order to receive their lunch, while other peoples can choose not to. In 2022, they asked 10 trade unions across the UK with members in teaching and education, who said that they do not have any code of practice on this to assist staff about their own use and rights, or for pupils.

It also goes against article 28 of the United Nations Convention on the Rights of the Child, which says children and young have the right to education no matter who they are; under the UNCRC article 16, no child shall be subjected to arbitrary or unlawful interference with his or her privacy, and also the child has the right to the protection of the law against such interference; and then also article 8 of the European convention on human rights, the right to privacy.

Based on all of this evidence, I have concluded that biometric data collection in schools is intrusive, it is unnecessary, it is disproportionate, and it does not comply with current legislation or human rights conventions. Biometric technology in schools is more prevalent than we realise. First introduced around 2000, over the last decade, the use of these technologies has increased dramatically, with around 75 per cent of secondary schools across the UK now using fingerprint technology, as well as it being extremely prevalent in primary schools. We know that in the early 2000s, many of these technologies were once UK-owned companies, selling ex-military tech to the public and private sector, but now research indicates that most providers are owned by US, Canada and Israeli companies. However, to whom, how and why private companies are selling this biometric data technology data to schools remains unclear. Researcher Pippa King, a campaigner on the use of biometric data in schools, together with Defend Digital Me, have requested freedom of information requests. Some schools responded, but there is still no clarity about which Government department or other bodies monitor if schools adhere to the Protections of Freedoms Act 2012, how many schools use biometric technology, how many pupils have their biometrics stored on school or supplier databases, or if the data is accessible and shared outside the school. Furthermore, the UNCRC's, the UN Committee on the Rights of the Child, general comment No. 16 says that:

'States should not invest public finances and other resources in business activities that violate children’s rights.'

In order to meet this standard, a human rights impact assessment is required. I do not believe that these are being done.

The Information Commissioner's Office does have a part to play here, and they did recently reprimand the UK Department for Education, following the prolonged misuse of the personal information of up to 28 million children. The ICO investigation found that the Department for Education's poor due diligence meant that a database of pupils' learning records was ultimately used by Trust Systems Software UK to check whether or not they were 18 when they wanted to use a gambling account. I welcome the ICO really taking this breach of the law very seriously, however I would now call on them to also ensure appropriate risk assessments and procurement processes of technology companies within educational settings are put in place to regulate widespread biometrics in schools. Because, as Big Brother Watch has highlighted, it is unacceptable that the biometric data collection technology is being sold to schools and parents by unscrupulous companies as a safer option. I met with the ICO recently and raised my concerns and offered to send over the evidence that I have presented today, and I hope that we can work together on this, going forward.

I have also met with the previous and current Welsh children's commissioner, and I would ask that the office also takes this on as a key part of their children's rights agenda to ask them how they feel about these technologies being used in their schools. It is not just fingerprint collection; biometric data may include information about the skin pattern, physical characteristics or a person's fingers or palms, features of an iris or any other part of the eye, or a person's voice or handwriting. In October 2021, more than 2,000 pupils at nine schools in North Ayrshire were enrolled to pay for their lunches by presenting themselves in front of a camera operated by the staff at the till. The system, installed by CRB Cunninghams, matched the children against the photos registered and deducted the day's spending from their account. The ICO responded quickly, all the data was deleted, and the resulting investigation exposed how organisations like local councils are ill-prepared for the task of capturing, processing and retaining personal data. However, the case was only able to be scrutinised through the lens of breaking GDPR and not looking at whether or not this should be introduced in the first place. Big Brother Watch has highlighted that other countries, like France, Sweden and parts of the US have outlawed this due to privacy concerns.

So, there is no ambiguity. I believe that, as politicians, we have a moral and ethical obligation to debate this issue and whether or not we want to have this here in Wales or the UK. The biometrics and surveillance camera commissioner, Professor Fraser Sampson, has warned that the use of biometric surveillance in schools requires careful consideration and oversight. He said:

'Somewhat ironically, biometric surveillance requires constant vigilance. To ensure its proper governance, avoid mission creep and irreversible erosion of freedoms this area calls for careful recognition—and anyone who believes it is simply about data protection hasn’t been paying attention.'

Again, we do have a responsibility as parliamentarians and in Government to scrutinise this. 

Finally, what is this doing to our children's view in our society? I'll end by asking these wider questions: what message is this giving to students, that their biometric data, their bodies, can be used in exchange for a monetary transaction? As adults, we don't have to give our fingerprints to access food, knowledge, rights to education, and we would hopefully, and rightfully, kick off if we did, but our children have to. How is this shaping how our children view their civil liberties? Because, as adults, as one person who wrote to me highlighted, the police force, under the authority of His Majesty and an Act of Parliament, can collect people's fingerprints without consent if they've been arrested, charged or convicted, but our children have to hand this over daily. And how is this biometric data collection in schools perpetuating the ideology that, if you have nothing to hide, you have nothing to fear—a dangerous ideology that comes from a place of privilege and is always used by the oppressor? Perhaps the question today should not be whether or not a tool is legal enough to use in educational settings, but whether it is respectful of human dignity and the aims of education, meeting the full range of human rights, freedom of expression, freedom of thought and aims of the right to education. Diolch.