Live Facial Recognition: How to stay within the law
by Sarah Coe, partner, Clarke Willmott in Bristol
With the retail sector currently under scrutiny about its use of live facial recognition technology it is crucial that businesses understand how the equipment can be used lawfully.
The technology relies on algorithms to detect and analyse faces and uses this information to create a biometric template that can identify individuals.
In recent months Frasers Group has been criticised by cross-party MPs for using the equipment in its stores, describing its use as “invasive and discriminatory”.
Meanwhile, the Information Commissioner’s office (ICO) highlighted a number of areas of concern after an investigation into security firm Facewatch.
In both cases, the technology was used to create a database of potential shoplifters and other persons of interest against which future data could be screened.
Using the cameras in public places in England and Wales relies on a combination of data protection laws and human rights laws.
As the technology enables the identification of individuals, it must comply with the UK GDPR and other data protection legislation.
The processing of biometric data is also a special category of personal data and is subject to additional protections under the GDPR privacy law.
Processing is generally banned unless it falls within one of 10 narrowly defined statutory exceptions and may be subject to additional restrictions or be specific to the exception in question.
To ensure lawful use of the technology, businesses must check they have both a lawful reason for processing personal data and a valid condition for processing special category data.
If a lawful reason is established, any processing must be balanced against the individual’s rights and is only lawful if proportionate and necessary to help the business address its security concerns.
The ICO has indicated taking the following steps may evidence that a business’s actions are compliant with data protection legislation:
Appointing a data protection officer
Ensuring that relevant policies and procedures are in place
Carrying out a data protection impact assessment
Continually assessing data collected through use of live facial technology and erasing data where possible
Ensuring protection of vulnerable persons
In the case of Frasers Group, the company has defended its use of live facial recognition technology in its stores and no regulatory action has yet been taken against it.
Meanwhile, following its investigation and the introduction of improvements by Facewatch, the ICO has confirmed that no further regulatory action is required.
However, it indicated there is a high bar for use of the equipment to be considered lawful and that although Facewatch’s activities were compliant with data protection legislation, this should not be viewed as a green light for other businesses to use the technology.
Instead, the ICO will continue to monitor the use and development of the technology and assess each business on a case-by-case basis.
Clarke Willmott LLP is a national law firm with offices in Birmingham, Bristol, Cardiff, London, Manchester, Southampton, and Taunton.
For further information visit www.clarkewillmott.com.