ICO: UK Police Should Go Slow on Facial RecognitionCommissioner Elizabeth Denham Also Calls for Creating a 'Code of Practice'
The U.K.'s chief privacy watchdog is urging police to go slow when it comes to using live facial recognition for law enforcement purposes, saying she has serious concerns about the technology.
See Also: What's Your Data Really Worth
"Moving too quickly to deploy technologies that can be overly invasive in people's lawful daily lives risks damaging trust not only in the technology, but in the fundamental model of policing by consent," Information Commissioner Elizabeth Denham writes in a blog.
She also calls on the government to create a statutory code of practice for police use of the technology. "We found the current laws, codes and practices relating to LFR [live facial recognition] will not drive the ethical and legal approach that's needed to manage the risk," she writes.
And in a lengthy "opinion" published last week, she describes in great detail the existing legal requirements for law enforcement officials using the technology.
"The opinion makes clear that there are well-defined data protection rules which police forces need to follow before and during deployment of LFR," she writes in her blog.
Live facial recognition technology refers to the real-time automated processing of digital images and matching them to a biometric template to identifying individuals - such as to identify crime suspects.
The use of the technology by law enforcement agencies in the U.K. has proven to be controversial, with activists arguing it is a violation of privacy law.
In August, for example, the ICO launched an investigation into the use of live facial recognition technology in London's King's Cross area by a developer. It was later revealed that the Metropolitan Police had supplied images for the trial being conducted. Use of technology has been discontinued (see: Facial Recognition Use in UK Continues to Stir Controversy).
Denham wrote the opinion and blog following an investigation by ICO into the trials of the technology by the Metropolitan Police as well as the South Wales Police.
The commissioner notes that the recent High Court ruling that found the use of the technology by the South Wales Police lawful should not be taken as a "blanket authorization" for police to use live facial recognition in all circumstances. "When LFR is used, my opinion should be followed," she writes in her blog.
Elizabeth Denham on the importance of balance in the use of live facial recognition technology by law enforcement in public places. pic.twitter.com/zSbg1zeA5Y— ICO (@ICOnews) October 31, 2019
The opinion notes that police must follow the EU's General Data Protection Regulation when conducting trials or making a full deployment of the technology. It further says that the use of facial images qualifies as sensitive processing under the GDPR whether or not it matches an image on a watchlist.
Is It Necessary?
In the meantime, Denham advises agencies to carefully scrutinize whether use of facial recognition technology is a necessary step. For example, she says that while deploying technology for a targeted and intelligence-supported purpose may meet the requirement of necessity, deployment as part of an effort to fight lower-level crimes may not be appropriate.
Denham also says police using the technology should be trained on its technical capabilities and the core principles of data protection legislation.
Code of Practice
Denham says creation of a code of practice would enable increased oversight into the use of the technology.
"It will enable increased oversight to ensure LFR use is proportionate, necessary and targeted and ensure compliance with data protection, privacy and human rights law," she writes.
"A code of practice would offer law enforcement agencies and the public alike a highly desirable level of clarity and consistency. It would also contribute to the degree of transparency necessary as the use of live facial recognition expands."
Commenting on Denham's opinion, Joseph Carson, chief security scientist at privileged access management solution provider Thycotic, tells Information Security Media Group: "Law enforcement must always maintain the trust of citizens, and this is a step in the right direction to maintain both trust and transparency. Other governments should follow the recommendations of the Information Commission of U.K."
But Na Vijayashankar, a consultant who specializes in privacy and data protection who is chairman of the Foundation of Data Protection Professionals in India, notes: "The police can initiate suitable policy to ensure that the data is not misused and indicate to ICO that it is in pursuance of its lawful duties under the constitution that they may be using face recognition. If the police yield to the ICO, I feel that the security of UK, which is already under the influence of terrorists, would be jeopardized."