The UK’s Information Commissioner’s Office has issued an opinion on the use of Live Facial Recognition technology by law enforcement.
Key takeaways:
- The use of Live Facial Recognition (LFR) involves processing of personal data and therefore data protection law applies.
- The use of LFR for law enforcement purposes constitutes “sensitive processing.” As such, a Data Protection Impact Assessment (DPIA) and an “appropriate policy document” must be in place.
- Sensitive processing occurs irrespective of whether that image yields a match to a person on a watch list, or the biometric data of unmatched persons is subsequently deleted within a short space of time.
- Controllers must identify a lawful basis for the use of LFR.
- The most likely applicable lawful basis may be “processing being ‘strictly necessary’ for the law enforcement purpose.”
- Controllers must adopt Privacy by Design and by Default when designing and implementing FLR strategy.
- A statutory binding Code of Practice should be introduced to address LFR.
- LFR may be likelier to meet the requirements of strict necessity and proportionality where it is deployed on a targeted or smaller-scale basis and for a narrowly defined purpose.
- The inclusion of an image on a watch list should meet the same high threshold for processing, ie, strict necessity.