ICO issues fresh warnings over police use of live facial recognition
The Information Commissioner Elizabeth Denham has warned police forces testing live facial recognition (LFR) technology that significant privacy and data protection issues need to be addressed before the systems can be fully implemented.
Both South Wales Police and the Metropolitan Police Service have been trialling LFR, but the tests have proved divisive with the public and civil rights groups.
In a blog post published today (July 9) on the Information Commissioner’s Office (ICO) website, Ms Denham said she understood the legitimate aims of the controversial system but police forces needed to do more to demonstrate their compliance with data protection law, including how ‘watch lists’ are compiled and what images are used.
“We understand the purpose is to catch criminals,” wrote Ms Denham. “But these trials also represent the widespread processing of biometric data of thousands of people as they go about their daily lives. And that is a potential threat to privacy that should concern us all.”
She also raised concerns about technological bias, which can see more false positive matches from certain ethnic groups. Ms Denham is calling for “demonstrable evidence” that the technology is fit for purpose, proportional and necessary given the potential for mass breaches of privacy.
She says police forces must:
- Carry out a data protection impact assessment and update this for each deployment and consider submitting these to the ICO for consideration, with a view to early discussions about mitigating risk;
- Produce a bespoke ‘appropriate policy document’ to cover the deployments, which should set out why, where, when and how the technology is being used; and
- Ensure the algorithms within the software do not treat the race or sex of individuals unfairly.
In May, a Cardiff court heard from member of the public, supported by civil rights group Liberty, who claimed that the use of facial recognition technology by the police was a breach of human rights law. South Wales Police argue that use of facial recognition technology does not infringe privacy or data protection rights as it is used in the same way as photographing a person’s activities in public, and it does not retain the data of those not on its watch list, although the force admitted it does keep CCTV images from the scanning process for up to 31 days.
Commenting on the case, Ms Denham said: “It was crucial for me, as the regulator, to intervene to advise the court about the data protection issues in play.”
The ICO said the resulting judgment will form an important part of its investigation, which it will need to consider before publishing its findings.
“In recent months we have widened our focus to consider the use of LFR in public spaces by private sector organisations, including where they are partnering with police forces,” said Ms Denham. “We’ll consider taking regulatory action where we find non-compliance with the law.”
It is not the first time she has made public her discomfort with the roll-out of LFR. In a post in May 2018, Ms Denham said: “Should my concerns not be addressed I will consider what legal action is needed to ensure the right protections are in place.”