sb-as logo
Story image

UK privacy watchdog 'deeply concerned' about live facial recognition

17 Jul 2019

The UK’s Information Commissioner Elizabeth Denham has cast a harsh light on how every organisation that uses facial recognition to identify certain people are a threat to all citizens’ privacy, so those organisations must comply with data protection laws.

The privacy watchdog says that any police force or organisation that uses live facial recognition  (LFR) technology - in which crowds can be scanned and compared against databases for matches in mere seconds - is processing personal data.

The South Wales Police and Met Police are two organisations that have been trialling LFR technology. While police are generally trying to identify those who are linked to criminal activity, they are also processing biometric data belonging to thousands of innocent people.

“That is a potential threat to privacy that should concern us all,” says Denham.

The Information Commissioner’s Office (ICO) has been monitoring how police use LFR trials. Police have been fully cooperative and the ICO understands the practical benefits of the technology, but there are still ‘significant’ privacy and data protection issues that are not being addressed. 

Denham says she remains deeply concerned about LFR technology’s rollout. She wants to see demonstratable evidence that the technology is necessary, effective and proportionate to the amount of privacy invasion the technology imposes.

“There is also public concern about LFR; it represents a step change from the CCTV of old. There is also more for police forces to do to demonstrate their compliance with data protection law, including in how watch lists are compiled and what images are used. And facial recognition systems are yet to fully resolve their potential for inherent technological bias; a bias which can see more false positive matches from certain ethnic groups.”

Osborne Clarke is an international law firm. Partner Tamara Quinn offers comment:

“There's a lot of excitement around the use of face recognition systems. While the benefits are endless, businesses must also consider the risks that arise from deploying face recognition systems as they need to take appropriate steps to comply with the law.  Facial recognition and video surveillance are covered by a complex web of regulations which isn't easy to navigate, plus there is reputational risk if companies aren't seen to be taking privacy seriously."

“With the ICO promising to pay closer attention to private organisations that use facial recognition systems that cover public areas, businesses should act now to ensure that their software doesn’t break the law. And this can include reassessing the use of external cameras overlooking the street, public parking or other communal spaces. As well as making sure that their systems comply with strict legal requirements, companies should be looking at their contracts with external suppliers of these systems, to make sure that they have strong legal protections in place.”

While the courts examine how to construct a framework that safeguards privacy, in particular the case of R v Chief Constable of South Wales Police, any force that aims to deploy LFR must consider a range of concerns. These include:

•    Carrying out a data protection impact assessment and updating it for each deployment - because of the sensitive nature of the processing involved in LFR, the volume of people affected, and the intrusion that can arise. 
•    Producing a bespoke ‘appropriate policy document’ to cover the deployments - it should set out why, where, when and how the technology is being used.
•    Ensuring the algorithms within the software do not treat the race or sex of individuals unfairly.”
•    In the UK, law enforcement organisations are advised to submit data protection impact assessments to the ICO for consideration, with a view to early discussions about mitigating risk.

Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More
Story image
IBM Security completes industry first with updates to Cloud Pak for Security solution
"With these updates, we will be the first in the industry to bring together external threat intelligence and threat management alongside data security and identity."More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
Financial institutions in APAC region to invest millions in fraud prevention
"The pandemic is creating a lot of uncertainty, but the majority of FIs in APAC recognise that an end to end fraud management platform is strategic to differentiating themselves from the highly disruptive landscape they are playing in."More
Story image
Why zero trust could fail due to lack of understanding​, not technology
Security architects are being forced to re-examine the concept of identity, with many turning to a zero trust security model to provide a better architecture for protecting their sensitive resources.More
Story image
UiPath and eSentire bring hyperautomation to Microsoft Security
UiPath and eSentire have announced a strategic partnership to deliver end-to-end security policy automation across multiple Microsoft Security services.More