The Information Commissioner Elizabeth Denham has warned that the use of live facial recognition (LFR) technology must comply with privacy laws.
“Any organisation using software that can recognise a face amongst a crowd then scan large databases of people to check for a match in a matter of seconds, is processing personal data,” she wrote this month on the Information Commissioner Office’s blog.
The warning comes after two extensive trials of the technology by the South Wales Police and the Met Police in London. Both trials have shown that the technology can be used to make arrests. It works by capturing facial features on a camera – a facial fingerprint. An algorithm compares that image to those held in suspect databases. Police officers then compare the match against the real person that has been selected and decide whether it is accurate.
Denham said her office had done a “deep dive” into the trials with police co-operation.
Issues to address
“Legitimate aims have been identified for the use of LFR,” she said. “But there remain significant privacy and data protection issues that must be addressed, and I remain deeply concerned about the rollout of this technology. I believe that there needs to be demonstrable evidence that the technology is necessary, proportionate and effective considering the invasiveness of LFR.”
Denham gave professional evidence in a recent court case involving a member of the public, supported by civil rights group Liberty. He challenged the lawfulness of South Wales Police’s use of LFR via the courts in May.
The man involved – Ed Bridges – was out shopping in Cardiff city centre when the police captured his image. The courts have heard the case to decide whether the use of facial recognition in this way by SWP is lawful.
“The resulting judgment will form an important part of our investigation and we will need to consider it before we publish our findings,” she said. “Whilst the judgment will be important, any force deploying LFR needs to consider a wide range of issues.”
For other forces considering the use of such technology, ICO has the following advice:
Although data protection law differs for commercial companies using LFR, the technology is the same and the intrusion that can arise could still have a detrimental effect, the ICO said.