ICO Opinion on the use of LFR in public places
Today the Information Commissioner has released a new Opinion piece addressing the use of live facial recognition in public places. The Opinion piece states that whilst facial recognition technology “brings benefits that can make aspects of our lives easier, more efficient and more secure”, the risks of privacy are increased when live facial recognition (LFR) is used in public places.
The Commissioner's Opinion aims to set out new guidance for companies and public organisations using this technology and requires a “high bar” for the use of LFR in public spaces to be considered lawful.
The Opinion is primarily intended for Data Protection Officers and other privacy and data protection practitioners, as well as those responsible for designing, supplying and using LFR services.
In Section 5 of the Opinion, the Commissioner summarises the key legal requirements for controllers; her recommendation to the wider industry, including technology developers and LFR vendors; and her next steps in her role as regulator.
The key steps that controllers should take when designing, commissioning and operating an LFR system, include:
-
Identifying a specified, explicit and legitimate purpose for using LFR in a public place.
-
Ensuring the use of LFR is targeted and an effective way to achieve the controller’s purpose. The controller must demonstrate that they cannot reasonably achieve their purpose by using a less intrusive measure.
-
Addressing the risk of bias and discrimination and ensuring fair treatment of individuals.
The Commissioner expects controllers to be sure they can meet these requirements and to document their assessments and decisions before any deployment of LFR.
In addition, the Commissioner recommends that technology developers, LFR vendors and service providers, and the wider industry should:
-
put a data protection by design and default approach at the heart of any new developments;
-
take steps to address and reduce the risks of bias and discrimination in LFR systems and the algorithms that power them;
-
be transparent about the effectiveness of LFR systems and consider adopting common standards to assess and describe their statistical accuracy; and
-
educate and advise controllers on how systems work and be transparent about the potential data obligations that controllers need to meet.
Finally, the Commissioner states that when considering any regulatory action or use of her enforcement powers, she may refer to this Opinion as a guide to how she interprets and applies the law. So, it’s important that any companies operating in this space rigorously assess their current operations and practices against this new guidance.
Following the announcement techUK's Head of Data Analytics, AI and Digital ID, Katherine Holden said:
Today the Commissioner has firmly set out the standards necessary for the use of Live Facial Recognition (LFR) to be considered lawful in the UK. The Commissioner’s focus on a privacy by design approach that is proportionate, context-specific, and evidence-led is an encouraging step forward. Industry will now need to rigorously assess against the legal requirements set out in this Opinion and techUK stands ready to work with our members and the ICO to help operationalise this guidance. The ICO’s continued commitment to supporting compliance approaches through the data protection Codes of Conduct and ICO Regulatory Sandbox is welcome and a crucial step towards building and maintaining the trust and confidence of the public.
Katherine Holden
Katherine joined techUK in May 2018 and currently leads the Data Analytics, AI and Digital ID programme.
