European Data Protection Board skriver her om en interessant case, hvor Anderstorpgymnasiet i Sverige har fået en bøde for at anvende ansigtsgenkendelse som middel til at registrere tilstedeværelse blandt eleverne. Helt overordnet finder jeg det interessant, fordi ansigtsgenkendelse synes at vinde større og større udbredelse og derfor også er noget, der skal holdes et vågent øje med. Det, der imidlertid er mest interessant er dog de begrundelser, som det svenske datatilsyn (datainspektionen) har for at tildele bøden. Den fulde afgørelse kan ses på engelsk her.
I afgørelsen står der bla. dette om casen: The Swedish Data Protection Authority became aware through information in the media that the Secondary Education Board in Skellefteå municipality (hereinafter ‘the Board’) had used facial recognition in a trial project at Anderstorp Secondary School in Skellefteå in order to register the attendance of students in a class over a number of weeks (p.2).
Om forsøget med ansigtsgenkendelse står der også, at ‘the aim was to register attendance at lessons at the secondary school in an easier and more effective manner. According to the Board, registering attendance in a traditional manner takes ten minutes per lesson, and using facial recognition technology for monitoring attendance would, according to the Board, save 17. 280 hours per year at the school concerned’ (p. 2-3). Endvidere fremgår det også, at de registrerede data bestod af ansigtsfotos, for- og efternavn. Data blev opbevaret på en computer uden netforbindelse låst inde i et skab. Gymnasiet havde også sørget for at indhente samtykke, og det var muligt for eleverne at sige nej til at deltage.
Og så skulle man jo umiddelbart tro, at alt var i skønneste orden, men det er her Datainspektionens afgørelse bliver interessant. Således citerer Datainspektionen GDPR-lovens årsag 43, der lyder:
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. (p. 4 – mine fremhævelser)
Endvidere lyder det:
As regards the school sector, it is clear that the students are in a position of dependence with respect to the school both as regards grades, student grants and loans and education, and therefore also as regards the scope to obtain employment in the future or to continue further education. (p.4)
Det leder Datainspektionen til følgende konklusion:
The monitoring of attendance is an obligation incumbent on the school sector which is regulated in administrative law, and the reporting of attendance is of considerable importance for the students. This processing is therefore not comparable with the processing of personal data for the purpose of administering school photography. In the case of attendance monitoring, the students are in a position of dependence which results in a substantial imbalance. The Swedish Data Protection Authority therefore believes that consent cannot constitute a legal basis for the processing operations which this supervision regards. (p.4 – mine fremhævelser)
Ifølge GDPR kan der dog være undtagelser, hvis dataindsamlingen er ‘necessary in order to perform a task in the public interest or as part of the controller’s exercising of public authority’(p.4), hvilket det pågældende gymnasium, så også har henvist til. Men her vurderer Datainspektionen, at graden af privatlivskrænkelse i det pågældende tilfælde, er for stor:
(…) while there is a legal basis for administering student attendance at school, there is no explicit legal basis for performing the task through the processing of special categories of personal data or in any other manner which entails a greater invasion of privacy.
Som jeg forstår det – og jeg er jo ikke jurist, så jeg kan tage fejl – så er det afgørende her, at gymnasiet kan opnå de ønskede data om elevernes tilstedeværelse på mindre invasive måder, nemlig på traditionel facon. Datainspektionen finder ikke, at anvendelse af special categories of personal data, som ansigtsgenkendelsedata kunne falde ind under, kan retfærdiggøres i dette tilfælde, tværtimod:
Moreover, the Swedish Data Protection Authority believes that the processing in question has resulted in undue infringement of the data subjects’ integrity, as the Board has processed special categories of personal data concerning children who are in a position of dependence in relation to the Board for the purpose of attendance monitoring through camera surveillance in the student’s everyday environment. (p.7 – min fremhævelse)
Og Datainspektionen præciserer, at det især handler om proportionalitet:
The Board has stated that the purpose of this processing was to monitor attendance. Attendance monitoring can be carried out in other ways which involve less infringement of the students’ integrity. The Swedish Data Protection Authority therefore considers that the method of using facial recognition via a camera for attendance monitoring was disproportionate and carried out in a manner that excessively infringed on personal integrity, and was therefore disproportionate in relation to the purpose. (p. 8 – min fremhævelse)
Det glædelige er her, at den økonomiske begrundelse (jf. den forventede reduktion i timer anvendt på registrering), ikke trumfer elevernes ret til privatliv. Når man læser afgørelsen, står det også klart, at disse dataetiske spørgsmål og udfordringer i uddannelsessystemet (og i det offentlige i det hele taget) er komplekse. Der er mange nuancer, undtagelser og tilføjelser i lovteksten, og det står også klart, at skoler/institutioner ikke bare kan henholde sig til indhentede samtykkeerklæringer og så tro, at alt er i orden. Juraen er mere nuanceret end som så!
Især spørgsmålet om proportionalitet, tænker jeg, kan og bør give anledning til mere udfoldede etiske drøftelser ude omkring i uddannelsespraksisser, der jo netop er baseret på asymmetriske relationer ..
/Marianne
Mariis' digitale refleksioner 