In an effort to address public concern about the potential for live facial recognition (LFR) technology to be used contrary to data privacy laws, the ICO have provided guidance on the use of LFR in public places by private companies and public organisations.
As businesses are probably aware, Data Protection legislation will apply to an organisation's use of LFR technology because it automatically processes personal data and biometric data to establish a person's identity. The guidance examines the use of LFR in public spaces for purposes other than law enforcement and explains the key data protection compliance requirements, which include that controllers must:
- Perform a data protection impact assessment which considers the risks and potential impacts of the processing of personal data via LFR on the interests, rights and freedoms of data subjects.
- Establish a valid lawful basis for the processing of personal data and a separate condition for special category data and that the use of LFR in a public place is necessary, targeted and an effective means of achieving a specified, explicit and legitimate purpose.
- Demonstrate that less privacy intrusive techniques will not achieve that purpose.
The ICO balances an acknowledgement of the potential of LFR to do significant good, with the proviso that its success is contingent on maintaining the public trust that invasion of privacy is kept to a necessary and lawful minimum. The ICO emphasised its continued support of the innovation and help ensure a fair balance is struck between pursuing the benefits of technology and the protection of data subject rights, with poor compliance to be met with its enforcement powers.