Law Enforcement use of Live Facial Recognition (LFR)
A senior police officer has approved the use of Live Facial Recognition (LFR) technology to support the policing of an area experiencing an increase in serious crime. LFR technologies can assist in identifying specific individuals who may be included in pre-compiled watchlist. To ensure that the technology is deployed lawfully, careful considerations must be made about how personal data, which includes biometric information, is used in accordance with people's information rights.
Before LFR is used as part of any operational deployments the team responsible for the delivery of the technology worked alongside the force’s Data Protection Officer to consider the following:
Guidance & Codes of Practice – Law enforcement agencies should read the available guidance and codes of practice relating to the use of LFR technology. The ICO has produced a data protection checklist and blogs on the data protection considerations. The College of Policing has also produced an Authorised Professional Practice on the use of LFR. This guidance covers areas relating to data protection compliance including:
- Public Sector Equality Duty (PSED)
- Compilation of watchlists
- Deployment specific data protection considerations
Policies – Police forces must develop local policies for the deployment of LFR that that set out the conditions under which the technology is deployed and inform public expectations on how data is collected and used. This should include a Data Protection Impact Assessment (DPIA) and an Appropriate Policy Document.
Informing the public – Law enforcement agencies must consider what steps they need to take to inform the public how they are processing data, such as a privacy notice and information provided to people during a deployment.
After working through these steps, the law enforcement agency was able to put in place the appropriate policies and procedures. This ensured that when they deployed the LFR technology, it was in accordance with data protection requirements and met the strict necessity requirements in Part 3 of the Data Protection Act 2018.