In the UK Schedule 1 of the Data Protection Act 1988 (DPA) states that “Personal data shall be processed fairly and lawfully” . One aspect of lawfully processing data is the area of consent, covered in Schedule 2 of the DPA. The first point in Schedule 2 is that the Data Controller (the school) has to gain the consent of the Data Subject (the pupil) in order to process information about them. “The data subject has given his consent to the processing.”
Tracking children in education with a real time location system (RTLS) using RFID tags absolutely falls under this legislation.
An email received from the Department of Education states the following:
Thank you for your email of 1 January 2013 addressed to the Secretary of State, with enclosures, about the implications of the use of Radio Frequency Identification Technology. I have been asked to reply. [Case Ref 2013/0000789]
As you will be aware, schools and colleges are Data Controllers in their own right, and as such, must comply with the data protection principles set out in the Data Protection Act 1998. For example, the first data protection principle requires that personal data must be used fairly and lawfully and that one of the conditions in Schedule 2 to the Data Protection Act must be met. These include: obtaining the consent of the data subject; compliance with legal obligations; performance of contractual obligations; and the processing being necessary for the purposes of legitimate interests of the data controller. I understand from your email that you have also been in contact with the Information Commissioner’s Office (ICO) and I would suggest that the ICO would be the appropriate body for advising on the particular case you have pursued.
As with the introduction of parallel systems such as CCTV, this Department would look to schools and colleges to consult fully with parents and pupils before implementing this kind of technology.
UK Department of Education – tracking children in education with RFID: