14 May 2018
Technological advances in the last 20 years have rapidly increased the ability of online systems to identify individuals. These advances can make many transactions straight forward, such as passing through passport control or unlocking a mobile phone but they can also increase the risk of intruding into our privacy.
Technology represents both a risk and an opportunity and this is why I have recently published our first Technology Strategy which addresses these new technological developments and ensures the ICO can deliver the outcomes which the public expect of us.
One particular development is the use of biometric data, including databases of facial images, in conjunction with Automatic Facial Recognition Technology (FRT). The technology has been available for some time but the ability of the technology to be linked to different online databases, with mobile and fixed camera systems, in real time, greatly increases its reach and impact.
In this blog, I want to focus particularly about how FRT is used in law enforcement. FRT is increasingly deployed by police forces at public events like the Notting Hill Carnival or big football matches, for example the last year’s Champions League final in Cardiff.
There may be significant public safety benefits from using FRT — to enable the Police to apprehend offenders and prevent crimes from occurring.
But how facial recognition technology is used in public spaces can be particularly intrusive. It’s a real step change in the way law-abiding people are monitored as they go about their daily lives. There is a lack of transparency about its use and is a real risk that the public safety benefits derived from the use of FRT will not be gained if public trust is not addressed.
A robust response to the many unanswered questions around FRT is vital to gain this trust. How does the use of FRT in this way comply with the law? How effective and accurate is the technology? How do forces guard against bias? What protections are there for people that are of no interest to the police? How do the systems guard against false positives and the negative impact of them?
At another level, I have been deeply concerned about the absence of national level co-ordination in assessing the privacy risks and a comprehensive governance framework to oversee FRT deployment. I therefore welcome Baroness Williams’ recent confirmation of the establishment of an oversight panel which I, alongside the Biometrics Commissioner and the Surveillance Camera Commissioner (SCC), will be a member of.
I also welcome the recent appointment of a National Police Chiefs Council (NPCC) lead for the governance of the use of FRT technology in public spaces.
A key component of any FRT system is the underlying database of images the system matches to. The use of images collected when individuals are taken into custody is of concern; there are over 19 million images in the Police National Database (PND) database. I am also considering the transparency and proportionality of retaining these photographs as a separate issue, particularly for those arrested but not charged for certain offences. The Biometrics Commissioner has also raised these concerns.
For the use of FRT to be legal, the police forces must have clear evidence to demonstrate that the use of FRT in public spaces is effective in resolving the problem that it aims to address, and that no less intrusive technology or methods are available to address that problem. Strengthened data protection rules coming into law next week require organisations to assess the risks of using new and intrusive technologies, particularly involving biometric data, in a data protection impact - and provide it to my office when the risks are difficult to address.
I will also carefully consider the reports recently issued by Civil Society, Big Brother Watch in the UK and the Electronic Frontier Foundation in the US.
I have identified FRT by law enforcement as a priority area for my office and I recently wrote to the Home Office and the NPCC setting out my concerns. Should my concerns not be addressed I will consider what legal action is needed to ensure the right protections are in place for the public.
Elizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public's trust and confidence in what happens to their personal data.