Considerations for Privacy by Design
Privacy by Design stands for the principle that any product or service should be designed with privacy in mind so that the design will proactively support privacy principles. SAFR has been designed with this approach and has specific tools to safeguard privacy. These include access controls, data security, and data management. When a school implements SAFR, it should adopt an implementation that makes full use of these tools to protect the privacy of its users: such as parents, teachers or students who will engage with SAFR. We highly recommend engaging with your community (PTA, teachers, etc.) regarding the privacy practices you implement.
To this end, the following recommendations are provided by the SAFR team:
Notice
- Provide clear notification to users before they encounter cameras that gather biometric data. For example, send out a letter or email informing users of the new system.
- Avoid placing cameras in sensitive areas—such as classrooms, bathrooms, locker rooms, guidance counselors’ and nurses’ offices.
- Disclose any practices that link users’ biometric data to information from third parties or from publicly available sources.
- Provide clear notice if your school will use biometric data for a purpose outside the reasonably expected uses.
Consent
- Obtain affirmative and express consent before using a user’s image or any biometric data derived from that image.
- Consent should at all times be appropriate to the context. For example in case of students, the consent should be obtained from the parents or guardians.
- If the biometric data that is gathered for one purpose is to be used for a secondary purpose, then present the user with a second opportunity to provide express consent.
- Ensure that the request for consent for biometric data collection and use is easy to find and understand.
- Ensure that the user can revoke his/her consent at any time.
- If a user deletes his/her account/profile, you should interpret this as a revocation of consent.
- Do not use facial recognition to identify images of a user to someone who is not authorized (i.e. not a parent, guardian, or school official), without obtaining the user’s affirmative express consent.
- Provide the user with an opportunity to control sharing of his/her image and/or biometric data with an unaffiliated third party that does not already have access to this information.
Data Security Protections
- Maintain appropriate administrative, technical, and physical safeguards.
- Periodically review security policies.
- Have reasonable data security protections in place for access to computers and servers on which SAFR is stored to prevent unauthorized access or unintended disclosures.
- Restrict access to a limited number of administrators. Do not write down or share logins/passwords.
- Initiate examinations and audits of security policies which will also help discover unauthorized access and catch and address critical issues that may have been overlooked.
Data Retention Policies
- Establish and maintain appropriate retention and disposal practices for the images and biometric data collected.
- Include specific retention periods that should be for the shortest period necessary to achieve the intended use. For example, consider deleting all images and associated data after each school year.
- Address disposal of images once they are no longer needed when given by the user for a specific purpose.
- If a user deletes his/her account/profile, or a user's image and/or biometric data are no longer necessary for the purpose of the technology, the image and/or data should be deleted, even if the retention period has not expired.
Provide Additional Information Relating to the Use
- Inform the user of the length of time you will store images and/or biometric data and who will have access to images and/or biometric data.
- Inform the user of his/her rights regarding the deletion of stored images or biometric data.
- Provide policies and disclosures to users in a reasonably accessible manner and location.
- Update policies and disclosures when technical design decisions materially change the data management practices.
- Establish policies that describe how the technology will be used and reasonably foreseeable uses of images or biometric data.
- Establish policies that describe the reasonably foreseeable functionality that permit review, correction, or deletion of images and/or biometric data.
- Provide a description of your data retention and de-identification practices.
- Provide a process for users to contact you regarding your use of images and/or biometric data.