Data watchdog says all investigations conducted by her office of live systems have found illegality 

Credit: Teguhjati Pras from Pixabay

The information commissioner has spoken out against current uses of live facial recognition, claiming that all investigations of deployment of the technology conducted by her office to date have found illegality.

Elizabeth Denham has today published a blog, alongside a 67-page commissioner’s opinion, assessing the current landscape of the use of LFR. Although she stressed that it is “not my role to endorse or ban a technology”, she outlined that she is “deeply concerned about the potential for [the] technology to be used inappropriately, excessively or even recklessly”.

“When sensitive personal data is collected on a mass scale without people’s knowledge, choice or control, the impacts could be significant,” she added. “We should be able to take our children to a leisure complex, visit a shopping centre or tour a city to see the sights without having our biometric data collected and analysed with every step we take. Unlike CCTV, LFR and its algorithms can automatically identify who you are and infer sensitive details about you. It can be used to instantly profile you to serve up personalised adverts or match your image against known shoplifters as you do your weekly grocery shop. In future, there’s the potential to overlay CCTV cameras with LFR, and even to combine it with social media data or other ‘big data’ systems – LFR is supercharged CCTV.”

Related content

• Users will have more control over personal data under new regulatory regime, minister pledges
• Privacy Shield: government working with ICO to ‘update guidance as soon as possible’
• Whitehall departments reported 500 personal data breaches to ICO in FY20

The ICO has, to date, completed six investigations into the use, or planned use, of facial recognition. This has included deployments related to “public safety” as well as those focused on “creating biometric profiles to target people with personalised advertising”.

Denham said that “none of the organisations involved in our completed investigations were able to fully justify the processing and, of those systems that went live, none were fully compliant with the requirements of data protection law”.

All of the organisations that have been subject to an ICO investigation have either ceased using LFR or ditched their plans to do so, she added.

The commissioner’s opinion outlined that any entities wishing to use facial recognition “must identify a specified, explicit and legitimate purpose”, and demonstrate that this purpose is lawful and proportionate. They must also be able to show that other, “less intrusive” means of achieving that purpose were first considered and proven to be unsuitable.

A data protection impact assessment must also first be undertaken before the use of LFR is commenced and all data gathered by the technology – which, as biometric data, is considered to form part of the ‘special category’ of particularly sensitive information – must be stored and processed in a manner that complies with data-protection laws.

Organisations that are using facial recognition in conjunction with a watchlist of people of interest must also ensure that this data is held and processed legally.

Public trust
Despite her concerns – and the evidence of the ICO’s investigations to date – Denham said that she recognises that the technology could still be valuable.

“If used properly, there may be benefits,” she said. “LFR has the potential to do significant good – helping in an emergency search for a missing child, for example.”

This is why, according to Denham, it is important that issues with privacy and data protection are addressed now.

“With any new technology, building public trust and confidence in the way people’s information is used is crucial so the benefits derived from the technology can be fully realised,” she said. “In the US, people did not trust the technology. Some cities banned its use in certain contexts and some major companies have paused facial recognition services until there are clearer rules. Without trust, the benefits the technology may offer are lost.”

Denham’s public pronouncement on LFR comes as she prepares to leave office, after half a decade as the head of the data watchdog. Her five-year term was due to conclude in July but has been extended until 31 October – at the behest of digital secretary Oliver Dowden – to allow sufficient time to recruit and appoint her successor.