Biometrics in K-12: The Legal Conundrum
- By Patricia Deubel
4/10/2007—Biometrics are among the latest implementations for school security. There are many issues to consider, which have been voiced by parents, students, and civil liberties groups. It's an international issue. Just look at LeaveThemKidsAlone.com, and you will see the extent of the uproar raised in the United Kingdom regarding fingerprinting of children in schools. For the most part, questions are the same ones being posed in our own country. Blogs are in use to discuss the issue in the United States and abroad, such as Pippa King's Biometrics in Schools.
But the legal side is perhaps the area of the weakest knowledge for most parents, teachers, and even some school administrators. Although administrators study school law as part of their licensure, finding time to keep up might be difficult once on the job. In this newsletter I'll take a look at some legalities that I've discovered. I'm not a lawyer; I'm a concerned educator, so don't construe what follows as legal advice. Basically, know the risks versus benefits in any implementation. Informed consent from a parent or legal guardian is key for collecting and using any biometric data from children under 18. If you adopt biometric technology, you will still need to provide alternative security measures for those who object to their use.
In a cautionary statement following its decision in the 1977 case, Whalen v. Roe (429 U.S. 589), the Supreme Court indicated its awareness of the implied threat of accumulating extensive personal data in computerized data banks (Freeman, 2003). Biometrics, such as the commonly used fingerprints and handprints in schools, are used in verifying a claimed identity or identifying an unknown individual from numeric templates created when enrolling individuals in a data base.
There is fear that those data bases might be shared and in the wrong hands cause irreparable harm. Woodward (1998) indicates that individuals fear losing control over their biometric identifiers, as they might become part of a public domain, as names and addresses used in mailing lists have been (p. 8). The biometric template has been associated with the Social Security number, and we all know the problem created as a result of that number being used as a universal identifier. A principal concern surrounding biometric use is essentially one of surveillance, which lends itself well to tracking. "This concern underlies constitutional protection for anonymity, both as an aspect of First Amendment freedoms of speech and association, and as an aspect of Fourth Amendment privacy" (Abernathy & Lee, n.d., sec: Tracking).
The Family Educational Rights and Privacy Act protects student records and might provide some protection for public disclosure of records stored in databases containing a student's biometric measurements, and where and when the student used a biometric device, according to Steven McDonald, general counsel at the Rhode Island School of Design. However, those records still might be subpoenaed by law enforcement officials (Kiernan, 2005, sec: Privacy). It seems reasonable to make that statement in light of how states define personal information. For example, South Carolina's Family Personal Privacy Act includes in its definition of personal information such identifiers as "an individual's photograph or digitized image, social security number" and "biometric identifiers" (South Carolina Code of Laws, 2006, sec: 30-2-30).
Freeman (2003) indicated courts have not devised a strict test about when and if biometric evidence would be admissible in trials, but guidelines might be drawn from the 1993 conclusion in Merrill v. Dow Pharmaceuticals (509 U.S. 579). The case produced five conditions that should be met before evidence would be admissible as scientific. These include "Whether the theory or technique has been or can be tested; the theory or technique has been subjected to peer review or publication; the existence and maintenance of standards controlling use of the technique; general acceptance of the technique in the scientific community; A known potential rate of error" (p. 7).
States, such as Illinois and Iowa, have enacted legislation to control the use of biometrics in schools. Such legislation is important, needed, and I suspect has set the precedent for other states to follow. Recent proposed amendments in Illinois' SB1702 (2007) call for public schools or school districts that collect biometric information from students to "adopt policies that, at a minimum require written permission from (i) the individual who legally enrolled the student or (ii) the student, if he or she has reached the age of 18" and that such schools or districts "adopt a policy consistent with certain conditions" and "must forward the policy to the State Board of Education upon adoption and subsequent amendment" (Amendment 1). Another specifies those policy requirements, "including providing for written permission; the discontinuation of use of the information; the destruction of the information following the discontinuation of use; allowed use of the information; a prohibition on the sale, lease, or other disclosure of the information; and the storage, transmittal, and protection of the information." It provides "that the failure to provide written consent for the collection of biometric information shall not be the basis for refusal of any services otherwise available to the student" (Amendment 2). Keeping databases up to date, according to these provisions, might be challenging for districts faced with reductions in staff.
Iowa's Senate File 2086 (2006) has similar provisions. It "provides an exemption to the child identification and protection Act to allow a school district or its authorized representative to use biometric technology to scan a child's fingerprint for purposes of implementing financial recordkeeping for a school lunch program if the technology used does not store the data extracted from the child's fingerprint, the technology cannot reconstruct the child's fingerprint, and if the parent or guardian submits authorization to the school district to the use of the scan. The parent or guardian may withdraw the authorization. The school district must destroy the data when the child graduates, or leaves the school, or the parent or guardian withdraws authorization. The data is a confidential record under the public records law" (Senate File 2086-Introduced, sec: Explanation).
Indeed, the coding process involved from capturing the original fingerprint, extracting sufficient points of identification, and translating them to a numeric template does not allow for the process to be reversed. For example, see the brief description of the biometric scanning process used in the Sagem MorphoTouch product. The Health Insurance Portability and Accountability Act (HIPAA) requires agencies that keep health records, including schools, to maintain their privacy. HIPPA sets conditions for access, use, and disclosure of individually identifiable health information collected and identifies when written consent is needed for disclosure. That information might be on paper, spoken, or stored on a computer. Thus, district employees should be aware that if biometric identifiers are in health records, they should be protected from disclosure by that act. HIPAA training should now include that mention (Wright State University, 2006). Woodward (1998) notes there is research suggesting that fingerprints and fingerprint images might disclose information about the health of an individual (p. 9).
The Americans with Disabilities Act has implications for use of biometric devices, as the act calls for reasonable accommodations for accessibility to be made for those individuals. Thus, placement of biometric devices, and choice of biometric (e.g., fingerprint, handprint, voice recognition, iris recognition), and the ability of the individual to actually use a biometric impact a district's implementation plan. Provisions for exceptions must also be made, which would then extend to other groups, such as those with religious and cultural concerns about using biometrics.
In the event that your school or district opts out of collecting biometrics for its own databases and you have parents concerned about finding a missing child, you can contact Child Protection Education of America (n.d.). CPEA has an ID ME NOW fingerprinting program and will arrange to fingerprint children for free at events for large groups of people. Parents receive a fingerprint card with the scanned prints of 10 fingers in forensic quality and a digital photo. The card contains space for parents to add other vital information. CPEA does not retain the information.
So much can be said about biometrics in K-12. The legal side is just the tip of the iceberg, and, at best, I've just tweaked your interest. You might look for my upcoming three-part investigation of this topic in T.H.E. Journal K-12 Tech Trends, "Biometrics in K-12: Buy or Ban?"
Abernathy, W., & Tien, L. (n.d.). Biometrics: Who's watching you? Retrieved April 3, 2007 from Electronic Frontier Foundation web site, http://www.eff.org/Privacy/Surveillance/biometrics/
Child Protection Education of America (n.d.). ID ME NOW Fingerprinting program: An introduction to the program. Retrieved April 9, 2007, from http://www.find-missing-children.org/
Freeman, E. (2003). Biometrics, evidence, and personal privacy. Information Systems Security, 12(3), 4-8.
Illinois SB1702 (2007). Retrieved April 9, 2007, from Illinois General Assembly web site, http://www.ilga.gov/
Iowa Senate File 2086 (2006). Retrieved April 9, 2007, from Iowa General Assembly Bill Book, http://coolice.legis.state.ia.us/
Kiernan, V. (2005, December 2). Show your hand, not your ID. The Chronicle of Higher Education, 52(15), A28-A30. Retrieved April 4, 2007, from http://chronicle.com/free/v52/i15/15a02801.htm
South Carolina Code of Laws (2006). Family privacy protection act. Retrieved April 9, 2007, from South Carolina Legislature web site, http://www.scstatehouse.net/code/t30c002.htm
Woodward, J. D. (1998). Biometrics: Identifying law and policy concerns. Chapter 19 in R. Bolle & S. Pankanti, Biometrics, Personal Identification in Networked Society, A. K. Jain (Ed.). Kluwer Academic Publishers. Retrieved April 9, 2007, from http://www.cse.msu.edu/~cse891/Sect601/textbook/19.pdf
Wright State University, Computing and Telecomm Services (2006). Data security compliance. Retrieved April 9, 2007, from http://www.wright.edu/security/datacomp/
:: READ MORE OPINIONS and VIEWPOINTS ::
About the author: Patricia Deubel has a Ph.D. in computing technology in education, and is currently an adjunct faculty member in the graduate School of Education at Capella University and an education consultant. She is also the developer of Computing Technology for Math Excellence at http://www.ct4me.net.
Have any additional questions? Want to share your story? Want to pass along a news tip? Contact Dave Nagel, executive editor, at firstname.lastname@example.org.