The UK’s Information Commissioner’s Office has issued an opinion on the use of Live Facial Recognition technology by law enforcement.

Key takeaways:

  • The use of Live Facial Recognition (LFR) involves processing of personal data and therefore data protection law applies.
  • The use of LFR for law enforcement purposes constitutes “sensitive processing.”  As such, a Data Protection Impact Assessment (DPIA) and an “appropriate policy document” must be in place.
  • Sensitive processing occurs irrespective of whether that image yields a match to a person on a watch list, or the biometric data of unmatched persons is subsequently deleted within a short space of time.
  • Controllers must identify a lawful basis for the use of LFR.
  • The most likely applicable lawful basis may be “processing being ‘strictly necessary’ for the law enforcement purpose.”
  • Controllers must adopt Privacy by Design and by Default when designing and implementing FLR strategy.
  •  A statutory binding Code of Practice should be introduced to address LFR.
  • LFR may be likelier to meet the requirements of strict necessity and proportionality where it is deployed on a targeted or smaller-scale basis and for a narrowly defined purpose.
  • The inclusion of an image on a watch list should meet the same high threshold for processing, ie, strict necessity.

Read the full text of the guidance.