I work in IT in a UK school too.
We don't do BYOD here. All student devices are school-owned and monitored. We use a (fairly popular) combined firewall/email/web filter appliance that filters the web pretty aggressively, because we have to comply with both UK and Scottish legislation on child protection.
Under the new "Prevent" legislation, we even have a duty to monitor students use of web and email for signs of extremism! We're still waiting for the appliance vendor to roll out an update that will allow us to do this. If they don't, there's a good chance we'll have to switch to another provider.
We don't use any form of classroom management software. Teachers cannot see what the kids are doing on the computers. This is mostly because teachers are treated like royalty here, and we are not allowed to implement anything that might "increase their workload", even when classroom management is obviously central to their jobs!
We (the IT department) can connect to students and teachers' devices at any time and view and interact with their sessions, though they are notified when we connect. This is rarely used for policy enforcement, it just saves us having to hike between buildings when Prof. Forgetful has, for example, accidentally hidden his unread messages.
We have biometrics for the cashless canteen too. Same as yours, the fingerprint is stored as a hash, not an image, so the fingerprint records are only useful for this specific system. We previously allowed parents to opt out of this system, but recently it became part of the admissions process (we're an independent school). Now, if you want your kid in this school, you must consent to biometric registration. We only had a couple of parents ever opt out anyway.
All of these measures are enforced by our management teams and almost universally welcomed by parents. Obviously, all of this creates more work for our under-resourced IT department, but as GP points out we have absolutely no choice in the matter. None.