Use of live facial recognition - Information Commissioner's Opinion

31 October 2019 is a date that will live long in the memory for a number of reasons. Of course, it was Halloween. It was also the day that Brexit didn't happen (again), ultimately leading to a December general election in the UK for the first time in nearly 100 years.

But perhaps the most memorable reason – in data protection circles at least – is that this was the day that the Information Commissioner issued her first formal Opinion under the Data Protection Act 2018.

The topic for the Opinion is a very hot one: the use of live facial recognition (LFR) technology by law enforcement in public places.  It comes in response to a number of high profile cases in which police forces have used LFR in public, most notably following judgment being handed down in the case of Bridges v South Wales Police[1].

The Information Commissioner's Opinion is certainly impactful.  It is clear, reasonably concise and leaves the reader in no doubt as to the Commissioner's views on the use of LFR in policing.  It would be a mistake, however, for those outside law enforcement to think that the Opinion is of little or no relevance to them.  There are without doubt lessons to be learned and messages to be disseminated within organisations in policing, the wider public sector and the private sector.

What are the key points?

• It is clear that the Information Commissioner remains unconvinced and uncomfortable with the use of LFR in all but the most serious of cases. In the opening paragraph of the Opinion, the Commissioner talks of "the disproportionate use of LFR, unnecessary intrusion into individuals' daily lives and…unwarranted police intervention". This Opinion is very good news for individual data subjects and privacy campaign groups everywhere.
• The importance of implementing (and keeping under review) a considered and well-informed Data Protection Impact Assessment (DPIA) cannot be over-stated. The Opinion includes some very helpful guidance on elements which the Commissioner expects to see addressed in any DPIA relating to the use of LFR.  
• For Data Protection Officers working with organisations considering the commencement of a LFR project, engagement with the project team is crucial. If DPO resources are limited, this is one area that should not be compromised or de-prioritised.
• Organisations in the law enforcement sector are encouraged to pool their knowledge and learning. They should also ensure that all those involved in LFR projects have sufficient data protection training to appreciate the effects of the technology on those subject to its use.
• The Opinion is the start of the Commissioner's work in this area, not the end.  She has called on government "to introduce at the earliest opportunity a statutory binding code of practice to provide further safeguards that address the specific issues arising from the use of biometric technology such as LFR".

What lessons should policing learn from this Opinion?

The Opinion is packed full of important points to note. A full read of its 24 pages is highly recommended for those involved with LFR projects.

Fans of DPA bingo will not be disappointed. The Opinion touches upon so many key themes arising from the GDPR and DPA that every reader is sure to score a full house: privacy by design; sensitive processing; automated processing; appropriate technical and organisational measures; appropriate policy documents; DPIA; lawful and fair processing. The list of important topics addressed in the note is extensive.

As well as being generally informative, there are a number of specific points for police forces to bear in mind when considering using LFR in the future. The most critical points which we would flag are:

1. The Information Commissioner's discomfort with the use of LFR is made abundantly clear.  She uses the word "concern" 11 times in the 24 page Opinion. Whilst the Commissioner acknowledges that "an appropriately governed, targeted and intelligence led deployment of LFR may meet the threshold of strict necessity for law enforcement purposes", this feels like faint encouragement, with no guarantee that such deployments will meet the relevant threshold. More instructive is the Commissioner's view that "the blanket, opportunistic and indiscriminate processing, even for short periods, of biometric data belonging to thousands of individuals in order to identify a few minor suspects or persons of interest is much less likely to meet the high bar contemplated by the DPA".
   
   
2. The Commissioner addresses in her Opinion the case of Bridges v South Wales Police.  Whilst she expressly respects and acknowledges the decision of the High Court, it is apparent that her views do not align entirely with those of the Court. She confirms that she will closely scrutinise the progress of any appeal. Perhaps of most significance in the Commissioner's reflections on this case is her view that "there are areas of processing personal data where the police should seek to raise the standards beyond those set out in the judgment…in order to ensure public confidence". If this sounds like a gold standard, and that the Commissioner will expect police forces to go above and beyond what is strictly required of them by law (and by the High Court judgment), then this certainly appears to have been the intention.
   
   
3. Forces which intend to use LFR should ensure that:

• The decision to use it is intelligence led, with limited target individuals in mind.
• The force determines that the use of LFR is strictly necessary, proportionate and for a narrowly defined purpose. In the Commissioner's words, "there is a considerable difference between using LFR to mitigate specific serious or violent crimes and widespread deployments of LFR to identify known shoplifters".
• The force can clearly articulate how the technology will be effective in meeting specified law enforcement purposes, by reference to demonstrable benefit to the public.
• Where LFR is used, it needs to be clearly signposted both in the area and through the force's social media platforms and website.
• There needs to be an "acceptably low tolerance for, and incidence of, false matches".  
• Watchlists (that is, the biometric images of individuals whom the police are seeking to identify through the use of LFR) are limited in size and only include images that are accurate, verifiable and lawfully held by the police at the time of use. The Commissioner has a significant concern about the use of Custody images to compile a watchlist, given that (a) many of the individuals whose images are held in Custody files were arrested but may not have been charged or convicted and (b) in many cases Custody records are not being retained, reviewed and disposed of in accordance with MoPI [2] and the College of Policing guidance [3].
• The potential for bias in the use of LFR is fully addressed.  It has been widely reported that some LFR technology solutions currently include a level of inherent technical bias, both in terms of gender and ethnicity – in short, some systems are more likely to misidentify women and darker-skinned people. The Information Commissioner expects forces to complete an Equality Impact Assessment before deploying LFR and regularly review this against legal developments.     
• All of the above points need to be considered before the use of LFR, even if the use is just for a trial scenario. These points should also be fully documented in a comprehensive DPIA.

What about the wider public sector and private sector?

So many of the points highlighted above and in the Opinion are of general application not just to policing bodies but also to other organisations considering the use of LFR. The Information Commissioner's serious concerns about the use of LFR relate not just to its use by police forces but organisations everywhere. Whilst accepting that the use of LFR may be justified in certain circumstances, those cases will be extremely limited in scope, nature and number.

The Commissioner confirms in the Opinion that she intends to issue a further Opinion, specifically addressing the use of LFR by private sector organisations. Companies in all sectors would be well advised, whilst awaiting that further Opinion, to ensure that they reflect on the first Opinion before deploying LFR.

What happens next?

All organisations, both in policing and elsewhere, should reflect on the Information Commissioner's Opinion in the context of their own data protection operations and specifically where they are considering the use of LFR in public. Whilst any statutory code of practice is likely to take months if not years to be implemented, organisations will have the opportunity to engage in consultation around its development, and should review any such code which is published in due course.

Organisations in the private sector should also review the separate Opinion on LFR in the private sector, when published (there is currently no anticipated date, but the Commissioner reiterates that LFR remains a priority for her office).

The use of LFR is a key priority area of focus for TLT, and we are currently advising numerous clients in policing and elsewhere on its use.  We will be holding a training seminar on LFR early in the New Year.  If you would like to be receive further details about this event, please contact Supriya Kaur. If you have any more immediate queries regarding the use of LFR, please contact Gareth.Oldale@tlt.com.