We'll move now to item 5, Member debate under Standing Order 11.21, biometric data in schools. And I call on Sarah Murphy to move the motion.

Motion NDM8131 Sarah Murphy, Jane Dodds

Supported by Carolyn Thomas, Jack Sargeant

To propose that the Senedd:

1. Notes that the prevalent collection and use of biometric data within schools across Wales is putting children’s personal data and privacy at risk.

2. Calls on the Welsh Government to introduce legislation that would:

a) ensure that Article 16 of the United Nations Convention on the Rights of the Child, a child's right to privacy, is upheld within Wales;

b) ensure that schools and childcare settings are using non-biometric technologies for services, rather than using biometric systems that may compromise the security of children's biometric data;

c) ensure appropriate risk assessments and procurement processes of technology companies within educational settings are put in place;

d) acknowledge the potential harms from the unregulated use of biometric data;

e) acknowledge the lack of consent by young people and children within current usages of biometric data within schools.

Motion moved.

Diolch, Dirprwy Lywydd. Thank you to Jane Dodds, who co-submitted this motion, and to Carolyn Thomas and Jack Sargeant who supported it. I move the motion.

I have requested a debate on biometric data in schools a few times since being elected, so this is a significant day, and I am pleased and optimistic that we can discuss the legal, regulatory and equality and human rights aspects together today. I would like to thank Pippa King and Jen Persson from Defend Digital Me and Madeleine Stone at Big Brother Watch for their consistent research and help with this, which I will draw on today.

I am calling for our education Minister to write to all schools in Wales for a moratorium on biometric technology and use of bodily data in schools until the Information Commissioner carries out an assessment of the use of children's data across UK educational systems—this would include face, fingerprints, eye scans, vein and palm scanning, gait and emotional detection and processing—as well as writing to UK Government to ask what assessment has been made that these technologies are in line with the UK Data Protection Act 2018 to protect children at scale from overreach in this sector, and I will set out why.

As with most data technology changes in our public spaces, I became aware of fingerprint data collection in schools anecdotally. I was told by parents that it had been introduced by schools in my constituency, and then, when I asked more widely of parents and students if and where this was happening in other schools, I was surprised to discover that it is extremely prevalent. I then asked if consent had been requested for this to be introduced in schools, and I was shown one letter that parents had been sent to sign off on their children's fingerprint data being collected and stored to be used in exchange for payment for school meals. It stated, and I quote, 'If you choose not to have your children on biometric system, a four-digit PIN code will need to be allocated. Please note that the PIN codes do not have the same level of security, and it will be your child's responsibility to remember the code and keep it secure at all times.'

Minister, I cannot emphasise this enough: biometric data is not safer than a PIN code or passwords. Passwords and PIN codes can be reset. Once your biometric data is compromised, it is compromised for life. It potentially stops the children for the rest of their lives from being able to use their fingerprint for security reasons or whatever they wish. This is partly because data hacks are not an uncommon occurrence. We have seen it within NHS England, the Metropolitan Police and Lloyds Banking Group. Public bodies with high levels of security have fallen victim to their data being exposed, often with unknown consequences. The reality is that a primary or secondary school is not going to be able to afford or oversee this level of security, and therefore cannot commit to children's personal data being safe. I'm not speculating that this could happen; this has happened. In September 2022, parents in the US have reported receiving a notorious explicit image in a meme after hackers targeted the school app Seesaw, which has 10 million users, including teachers, students and family members. I was told this week that the Seesaw app is being rolled out in a primary school in my constituency, as I'm sure it is across all of your constituencies too.

Some people have questioned the role of encryption and whether this can offer the safety required to secure students' data collected in schools, by ensuring that hackers cannot reverse engineer a password or key. But we must take into consideration that a child's biometric data must be secure for their lifetime—so, six to eight decades—and it is impossible to say under our current system that a child's biometric data can be secure for the next 70-plus years. The Home Office and police can actually do this now.

Under the General Data Protection Regulation, students’ data should be deleted when they leave school, but students returning to their schools after graduating have realised that biometric systems still recognise their fingerprints in many cases.

So, what have we done in Wales so far? Back in 2021, I reached out to the Welsh Government, who were unaware that schools were using this technology or who was selling the technology to our schools. In response, Welsh Government Minister for Education Jeremy Miles worked with schools and young people to clarify non-statutory guidance for schools in Wales, and that there are no circumstances in which a school or college can lawfully process a learner's biometric data without having notified each parent of a child and received the necessary consent. The Welsh Government also went further and produced a child-friendly version as a tool for young people to understand how their data is collected, their right to consent, and, crucially, their right to say no. It was great to introduce this at Bryntirion Comprehensive School in Bridgend, along with our education Minister, and I really do appreciate this proactive and collaborative approach to clarifying the guidance. However, this was only ever going to be a sticking plaster in anticipation of what is a very necessary and urgent wider conversation that needs to be had in this Chamber and in our communities, which is what I hope we can start today. Because a Survation poll conducted in 2018 on behalf of Defend Digital Me, a campaign group on children's rights and privacy, found that, of parents across England whose children's schools were using biometric technology, 38 per cent said they had not been offered any choice, and over 50 per cent had not been informed how long the fingerprints or other biometric data would be retained for, or when they will be destroyed. We do not have any equivalent studies here in Wales.

Defend Digital Me has also found examples of schools where the use of biometric technologies is mandatory for all pupils, or where pupils who qualify for free school meals have to use a biometric system in order to receive their lunch, while other peoples can choose not to. In 2022, they asked 10 trade unions across the UK with members in teaching and education, who said that they do not have any code of practice on this to assist staff about their own use and rights, or for pupils.

It also goes against article 28 of the United Nations Convention on the Rights of the Child, which says children and young have the right to education no matter who they are; under the UNCRC article 16, no child shall be subjected to arbitrary or unlawful interference with his or her privacy, and also the child has the right to the protection of the law against such interference; and then also article 8 of the European convention on human rights, the right to privacy.

Based on all of this evidence, I have concluded that biometric data collection in schools is intrusive, it is unnecessary, it is disproportionate, and it does not comply with current legislation or human rights conventions. Biometric technology in schools is more prevalent than we realise. First introduced around 2000, over the last decade, the use of these technologies has increased dramatically, with around 75 per cent of secondary schools across the UK now using fingerprint technology, as well as it being extremely prevalent in primary schools. We know that in the early 2000s, many of these technologies were once UK-owned companies, selling ex-military tech to the public and private sector, but now research indicates that most providers are owned by US, Canada and Israeli companies. However, to whom, how and why private companies are selling this biometric data technology data to schools remains unclear. Researcher Pippa King, a campaigner on the use of biometric data in schools, together with Defend Digital Me, have requested freedom of information requests. Some schools responded, but there is still no clarity about which Government department or other bodies monitor if schools adhere to the Protections of Freedoms Act 2012, how many schools use biometric technology, how many pupils have their biometrics stored on school or supplier databases, or if the data is accessible and shared outside the school. Furthermore, the UNCRC's, the UN Committee on the Rights of the Child, general comment No. 16 says that:

'States should not invest public finances and other resources in business activities that violate children’s rights.'

In order to meet this standard, a human rights impact assessment is required. I do not believe that these are being done.

The Information Commissioner's Office does have a part to play here, and they did recently reprimand the UK Department for Education, following the prolonged misuse of the personal information of up to 28 million children. The ICO investigation found that the Department for Education's poor due diligence meant that a database of pupils' learning records was ultimately used by Trust Systems Software UK to check whether or not they were 18 when they wanted to use a gambling account. I welcome the ICO really taking this breach of the law very seriously, however I would now call on them to also ensure appropriate risk assessments and procurement processes of technology companies within educational settings are put in place to regulate widespread biometrics in schools. Because, as Big Brother Watch has highlighted, it is unacceptable that the biometric data collection technology is being sold to schools and parents by unscrupulous companies as a safer option. I met with the ICO recently and raised my concerns and offered to send over the evidence that I have presented today, and I hope that we can work together on this, going forward.

I have also met with the previous and current Welsh children's commissioner, and I would ask that the office also takes this on as a key part of their children's rights agenda to ask them how they feel about these technologies being used in their schools. It is not just fingerprint collection; biometric data may include information about the skin pattern, physical characteristics or a person's fingers or palms, features of an iris or any other part of the eye, or a person's voice or handwriting. In October 2021, more than 2,000 pupils at nine schools in North Ayrshire were enrolled to pay for their lunches by presenting themselves in front of a camera operated by the staff at the till. The system, installed by CRB Cunninghams, matched the children against the photos registered and deducted the day's spending from their account. The ICO responded quickly, all the data was deleted, and the resulting investigation exposed how organisations like local councils are ill-prepared for the task of capturing, processing and retaining personal data. However, the case was only able to be scrutinised through the lens of breaking GDPR and not looking at whether or not this should be introduced in the first place. Big Brother Watch has highlighted that other countries, like France, Sweden and parts of the US have outlawed this due to privacy concerns.

So, there is no ambiguity. I believe that, as politicians, we have a moral and ethical obligation to debate this issue and whether or not we want to have this here in Wales or the UK. The biometrics and surveillance camera commissioner, Professor Fraser Sampson, has warned that the use of biometric surveillance in schools requires careful consideration and oversight. He said:

'Somewhat ironically, biometric surveillance requires constant vigilance. To ensure its proper governance, avoid mission creep and irreversible erosion of freedoms this area calls for careful recognition—and anyone who believes it is simply about data protection hasn’t been paying attention.'

Again, we do have a responsibility as parliamentarians and in Government to scrutinise this. 

Finally, what is this doing to our children's view in our society? I'll end by asking these wider questions: what message is this giving to students, that their biometric data, their bodies, can be used in exchange for a monetary transaction? As adults, we don't have to give our fingerprints to access food, knowledge, rights to education, and we would hopefully, and rightfully, kick off if we did, but our children have to. How is this shaping how our children view their civil liberties? Because, as adults, as one person who wrote to me highlighted, the police force, under the authority of His Majesty and an Act of Parliament, can collect people's fingerprints without consent if they've been arrested, charged or convicted, but our children have to hand this over daily. And how is this biometric data collection in schools perpetuating the ideology that, if you have nothing to hide, you have nothing to fear—a dangerous ideology that comes from a place of privilege and is always used by the oppressor? Perhaps the question today should not be whether or not a tool is legal enough to use in educational settings, but whether it is respectful of human dignity and the aims of education, meeting the full range of human rights, freedom of expression, freedom of thought and aims of the right to education. Diolch.

Thank you so much to Sarah Murphy for initiating this debate. I know that Sarah has been a real champion of the concerns around biometric data and of digital rights, so I do thank you for the opportunity to sponsor this and to take part in this debate. Diolch yn fawr iawn. 

The collection and use of biometric data in schools raises real concerns about rights, legality and the appropriate use of such crucial data. In particular, we need to be assured that schools are complying with the expectations both of the Welsh Government and of the law as well. For me, there are two questions: whether the legislation is good enough to protect our children's rights, and whether schools are acting within the legislation and the guidance from the Welsh Government. It is extremely concerning to hear accounts of how schools are compromising the Welsh Government expectations and children's data. I don't think they're doing this through any malicious intent, but rather lack of awareness of what the expectations are, which can lead to worrying consequences. In doing so, they create an environment in which young people get used to the idea that their biometric data is something to be handed over as a matter of routine. We need to remember that systems are only as good as the people who use them, and we need to be aware of the risks that they will incorporate unconscious bias.

Although data protection is a reserved matter, how the rules are applied in schools is a matter, as we've heard from Sarah, of the Welsh Government, and it's really encouraging to hear of the work that's been done so far. So, we need to build on the Welsh Government guidance and expectations, given to schools in protecting our children's data, and in the creation of those expectations of the collection as well.

In Europe, we are seeing case law making it clear that the inequality of status between school and pupil is a factor in deciding whether or not the use of biometric data is lawful. In my view, this is a principle that must inform how schools operate in Wales as well. More generally, we need to be vigilant about data protection legislation. The Westminster Government's Data Protection and Digital Information Bill is currently stalled once again in Parliament. The Retained EU Legislation (Revocation and Reform) Bill, currently again in the Westminster Parliament, means that, among other things, a review of the data protection legislation in the UK, which is due, is based on that EU data protection law. I understand that the Westminster Government is expected to announce its proposals for a UK GDPR shortly. We need to be aware of the risk that this will be used as an opportunity to water down data protection law.

I'm confident that the Welsh Government will keep the Senedd informed of developments in this area, and will ensure that the need to protect children and young people's data in school, and elsewhere, is recognised and acted on. Once again, a huge thank you to Sarah for raising this issue, and I hope that we continue to debate this and keep our eye on any developments. Thank you. Diolch yn fawr iawn.

Can I start my contribution as well, Deputy Presiding Officer, by thanking our colleague Sarah Murphy for bringing forward this motion to the Senedd today, but also by paying tribute to the tireless campaigning that she has undertaken in this area? I think that without Sarah becoming a Member of this Senedd and taking this work forward, this issue could very easily have gone unnoticed by this Parliament.

As the use of technology is spread through every single part of our lives, we've rightly become aware of the need to protect our own personal data. And for obvious reasons, regulation has not always kept up with the advancement of technology in this area, and we have numerous examples of how this has left people exposed. This is particularly dangerous in the case of biometric data—the issue we're debating this afternoon. As a guiding principle, I think caution should be at the heart of how we allow the use of biometric data in Wales, particularly within our schools. Because, after all, the important principle when gathering data is consent: consent to use the data from someone who is fully informed, but also informed of those potential pitfalls.

How can our young people give consent to this when the risk is simply not understood? And if you couple that with the fact that it takes a huge leap of faith—a huge leap of faith—to simply trust technology companies to do the right thing with our data, then you understand why so many of us are advising caution and why Sarah Murphy is leading on this issue. And, Deputy Presiding Officer, I say that as someone who's a big believer and uses technology every single day. But the reality is that data is money, and when money is the motivator, trust alone simply does not cut it.

In Wales, we are rightly proud of our record in promoting the rights of the child, and it's right that we are proud of that. But respecting those rights requires vigilance—the type of vigilance that Jane Dodds, our colleague from the Liberal Democrats, discussed earlier.

So, Deputy Presiding Officer, in closing, those are the reasons I was so keen to support Sarah's motion. I'm pleased that it's at the heart of Welsh democracy this afternoon. I'm pleased at the work the Minister has undertaken with Sarah on this. We are lucky to have Sarah, because this would have gone unnoticed without her, and we should recognise that, and we should use the knowledge and wealth of experience that she brings. And, finally, in closing, I do urge and look to backbench Members of all political parties in this Chamber today to vote in favour of this motion in front of us. Diolch.

Thank you very much, Sarah, for tabling this debate, which is indeed, as others have said, a very important thing that we need to consider, because, otherwise—. Technology is a wonderful thing in many respects; it can save lives. If somebody's gone into a coma with type 1 diabetes, they're not in a position to tell you what treatment they're going to need, but we absolutely have to apply the precautionary approach. But I think, at the same time, we shouldn't be throwing the baby out with the bath water.

In advance of this debate, I did consult one of the secondary schools in my constituency and asked about this, because I simply didn't know how much this was being used or what attitude I should be taking. So, it was very useful to hear that they indeed use biometric thumbprints in the canteen, because you won't be surprised to know that young people lose the cards on which they have the amount of credit they've got, and, therefore, they're not going to be losing their thumb. If you can imagine the speed at which young people have to be served during the lunch break, as well as the really important confidentiality that needs to be adhered to around who is in receipt of free school meals and who is not, a thumbprint doesn't tell you anything more, other than that this individual is wanting to apply to have whatever credit they've got on their account discounted by the amount of food that they are consuming. 

So, just to be a little bit more technical, this biometric thumbprint translates into a code—not a photograph, not a name. It's a series of numbers, which, to the rest of us, is a meaningless piece of information. But it tells the till operator, managing the money, what items need to be deducted that have been purchased by the individual. So, even if the school's account was hacked, the information that was held via the thumbprint wouldn't tell you about which individuals had had dinner that day and who hadn't. It is a stretch to think that a hacker would be hacking the school's account and the till manager's account at the same time. 

There are lots of benefits, therefore. There's confidentiality about who is in receipt of free school meals, which often doesn't get adhered to in other secondary schools where they are using cards, and where there's an exchange of information with the person managing the till, which is, sometimes, entirely inappropriate. And it's also about speed of throughput, because you're not having all the administration involved and the hassle of saying, 'I've lost my card', 'I've left it at home', and all the other issues that go wrong.

So, I think that this is really important, but I do sort of challenge that the motion is asking us to ensure that all schools and childcare settings are using non-biometric technologies for this sort of service, because what is the non-biometric service that's going to give us something as accurate and speedy as using a thumbprint? We all use a thumbprint, or in theory we do, to access our iPads, but I just need to understand what the worries are there. I absolutely agree with Jack and with Jane Dodds that we do need to proceed with caution on this, and we need to have all the data, but I do have some concerns about rushing into this and then throwing the baby out with the bathwater and not having the advantages of technology to manage important data in a confidential manner effectively. Thank you.

I call on the Minister for Education and the Welsh Language to contribute. Jeremy Miles.

Thank you, Dirprwy Lywydd, and may I start by thanking Members for their contributions to this important debate this afternoon? Particularly, may I thank the Member for Bridgend for her ongoing work in raising awareness of the issues related to the collection and use of biometric data of young people?

I hope the Member will forgive me for saying that the Senedd, I think, is at its best when Members bring to the Siambr issues that may not always have the profile they deserve and pursue those questions with an equal measure of expertise and passion, in the way that Sarah Murphy has consistently pursued the issue of biometric data and young people.

There is a differing view, Dirprwy Lywydd, on the use of biometric technologies across all aspects of society. It is a complex and sensitive issue. Technology is developing quickly in our daily lives, and in using it in the right way it can provide undoubted benefits, making aspects of our lives easier, more efficient and safer. But it's important that the use of technology is properly considered and that legal responsibilities are properly understood by everyone who gathers and uses personal data.

The Welsh Government recognises the need for checks and appropriate balances in a system where personal and sensitive information is used to enable learners, and indeed any citizen, to engage in day-to-day activities. In 2022, as Sarah Murphy mentioned, I launched revised guidance on safeguarding biometric data in schools and colleges, and I did so in Bryntirion Comprehensive School, with Sarah, in Bridgend. The guidance does provide clear information to schools and colleges on their legal duties in relation to implementing and using biometric identification systems. This includes legal duties under the Protection of Freedoms Act 2012, the Data Protection Act 2018, the UK's general data protection regulation, and the UN Convention on the Rights of the Child. In updating the guidance, we consulted with the Information Commissioner's Office, the biometrics commissioner, the Children's Commissioner for Wales, and Defend Digital Me. I am grateful to them all for their valuable input.

The guidance sets out clearly that schools and colleges, before using a biometric system, should carefully consider whether there are other less invasive options that could provide the same level of service to learners. When a school does consider a biometric system, the school must be clear on the legal requirements that would be placed upon it.

Dirprwy Lywydd, as noted in the motion, schools and colleges must consider the UN Convention on the Rights of the Child, and that's also clearly set out in our guidance. This includes the right to express their views, feelings and wishes in all matters affecting them; to have their views considered and taken seriously; and the right to privacy. It's therefore vital that learners understand that participation in a biometric system is not mandatory. Alongside the main guidance, we produced a version specifically for children, as Sarah Murphy referenced in her speech, to help young people understand their rights in relation to this area. This document was developed with the help of young learners, including the children's rights advisory group and Young Wales, and I'd like to thank them as well for their valuable contribution.

Schools and colleges are required to obtain written consent from a parent or carer before any biometric data can be collected. They, or indeed the learner, have the right to opt out at any point. Schools and colleges must be transparent here, making clear that participation is optional, providing clear information on its intended use and data protection procedures. Where either a parent, a carer or a learner chooses to opt out, schools and colleges must find a reasonable alternative means of providing the service. This is an especially important point. Learners should not be disadvantaged or receive access to fewer or indeed different services because of a school's decision to introduce biometrics.

Schools are legally responsible for any data they gather and use. They must ensure that any biometric data is stored securely, is not kept longer than needed, is used only for the purpose for which it is obtained and is not unlawfully disclosed to a third party. This should be considered as part of a data protection impact assessment, which should be undertaken at the outset. Schools and colleges must ensure that they only award contracts to biometric suppliers that provide sufficient guarantee to implement appropriate measures in line with the general data protection regulation. Article 28 specifies minimum contractual requirements, which, in essence, ensure suppliers can only act on instructions of the school or college, and may not use the data for any other purposes. If a school or college were to procure a system without a fully compliant contract, then they would be likely to bear full legal liability for the actions of the system provider.

Where biometric systems are implemented, the school or college should monitor and review their effectiveness against their original purpose. This will ensure that the technology continues to be used for the reason it was intended, and that it meets the legal duties, the requirements and responsibilities under the data protection legislation. Any failure in meeting the required data protection requirements could result in referral to the Information Commissioner's Office, as Sarah Murphy mentioned in her speech. The ICO can provide advice and instruction to help ensure schools get this right, and serious breaches, obviously, can result in enforcement action.

Schools and colleges, I am satisfied, have the support and advice available to ensure they can properly implement the required data standards when adopting the use of biometric systems. At present, there is no specific intention to introduce general legislation for use of biometric data in schools due to the existence of a broader legal framework with relevant checks and balances. The decision to introduce a biometric system is one for individual schools to make based on operational needs, impact assessments, and in consultation with staff, learners, parents and carers. This is consistent with a principle of school autonomy, but within a clear regulatory framework.

The Welsh Government will object to the motion in order to abstain on it, as is its convention, but the Member has raised important points with me here in the Chamber today. As she has previously done this, it has allowed us to look together at what more we can do. As she has recognised, and I am grateful for this, the Government has acted. I give her the assurance that I will approach the request she has made today in the same constructive way and will update her and the Senedd accordingly. In the meantime, we will continue to remind schools of their legal obligations and keep our guidance under continual review to reflect developments in this fast-moving area.

I call on Sarah Murphy to reply to the debate.

Diolch, Dirprwy Lywydd, and thank you very much, Minister, for those assurances. I really do appreciate it. I also want to say thank you very much to Jane Dodds. I totally agree, schools are not doing this on purpose—they have no guidance. Actually, if what had happened with the Department for Education happened now, they'd actually have been fined £10 million by the ICO, so we're actually leaving our schools wide open to absolutely enormous fines. They're sitting ducks for these huge foreign countries to target them and sell them this technology that they tell them is safer.

Jenny, I did address the very valid questions that you asked at the beginning, but you missed the beginning of my speech. I would ask you to go back and have a read of it, please, before you make your decision this evening. I will reinforce, though, that anyone with a toddler knows that they can remember the four-digit code to your smartphone. Children can remember a four-digit code to be able to have their school meals; that doesn't require them to compromise their personal data for the rest of their lives. And Jack, thank you so much for talking about the consent—children don't know what they're consenting to. They have no idea, as even many adults don't either. I think it's absolutely right that we have to hear their voice, which we do not have now.

I also want to say that I had a very interesting conversation with my colleague Cefin Campbell the other day about justice, and how, very often, in this Chamber we do talk about the legal, the practical, the outcomes, the results, the thresholds, the targets, but very little, sometimes, about ideology. Very often, it's dismissed as maybe being culture wars, and sometimes it is, but when it comes to this, it actually is really important that we do look at it through the lens of our values, our culture and our human rights—the children's human rights, and the power dynamics and the power exchange that is happening here on our watch, where our children, as we have heard, have no autonomy and no right to education free from surveillance. As the Manic Street Preachers sing,

'If you tolerate this, then your children will be next.'

But in this case, as we have heard, our children are actually being targeted first and we are tolerating it. The opportunity to share their very personal biometric data for whatever they wish has been taken from them because there is a lack of awareness, a lack of understanding, a lack of will, a lack of engagement with young people, a lack of basic data literacy to really grapple with the ramifications of this: how this is really changing our society, our children's perception of the world, their perception of themselves in the world and very much their futures.

Based on everything we've heard today, I do not believe that biometric data collection in schools should continue. Children have a right to education and a right to privacy under the UNCRC and, at the moment, they're not being able to do both at the same time. I also believe that this will lead to the introduction of live facial recognition technology within schools, which we have already seen in other parts of the country. I also believe that we wouldn't even be aware of its introduction. Once it is here, it will be almost impossible to roll back. So, I've brought this debate today and I thank everyone for participating in it. I hope that it's gone some way towards raising awareness. I hope now that we can put this on the agenda seriously, not just for children, for all citizens of Wales, and that we can work in conjunction with other devolved nations on this and that we can begin to take this very seriously. It is time to make up our own minds on whether or not this is something that we want to happen as a society. So, please vote for my motion today so that we can begin doing this. Diolch.

The proposal is to agree the motion. Does any Member object? [Objection.] I've heard an objection, therefore I will defer voting under this item until voting time.

Voting deferred until voting time.