LEGAL, REGULATORY & COMPLIANCE CONSULTANTS

Handley Gill Limited

Our expert consultants at Handley Gill share their knowledge and advice on emerging data protection, privacy, content regulation, reputation management, cyber security, and information access issues in our blog.

Now you see me...

While live facial recognition technologies have already been deployed by a number of police forces, albeit not without legal challenge and significant scrutiny, and their expansion is being widely pushed by the government, Chief Constables shouldn’t be under any illusions that they are individually responsible for ensuring legal and regulatory compliance and will need to assess and mitigate the risks of harm across data protection, human rights and equality laws.
— Handley Gill Limited

Announcing a crackdown on retail crime, on 10 April 2024 the Prime Minister Rishi Sunak announced a £55.5m investment over four years to expand the use of facial recognition by police forces, including through additional live facial recognition mobile units to take “live footage of crowds in towns and on high streets, comparing images to specific people wanted by the police or banned from that location”.

South Wales Police’s use of live facial recognition technologies was held to have been unlawful but this has not prevented the force from not only pressing on with its own deployments but also effectively leasing its equipment and staff to other forces to support their deployments under the mutual aid provisions in section 24 Police Act 1996.

The use of live facial recognition technologies has been the subject of significant scrutiny, with the House of Lords’ Justice and Home Affairs Committee conducting an investigation into their use which concluded that the government should implement a specific legislative framework to underpin the use of LFR and operational deployments of LFR attracting protests by civil society groups. 

The use of live facial recognition for law enforcement purposes raises a number of legal and regulatory issues, including compliance with the requirements of Part 3 Data Protection Act 2018, the Public Sector Equality Duty (PSED) under section 149 Equality Act 2010 and prohibitions on direct and indirect discrimination, under Part 2 Chapter 2 Equality Act 2010, and the Human Rights Act 1998, in particular Article 8 which protects the right to respect for private and family life and Article 14 which affords protection from discrimination as well as, in appropriate cases, the right to freedom of expression and information under Article 10 and the right to freedom of assembly under Article 11. It is also imperative to ensure that deployments don’t fall foul of the restrictions on directed surveillance under the Regulation of Investigatory Powers Act 2000.

Forces must not proceed on the assumption that only those individuals who are matched using Live Facial Recognition technology will suffer an interference with their legal rights; all individuals subjected to LFR are affected even those whose data is promptly deleted.

The circumstances in which LFR deployments will be considered to meet the requirements of strict necessity and proportionality will also need to be considered; the European Court of Human Rights has recently held that the use of facial recognition technologies in the context of an administrative offence violated Article 8.  

In addition to strict legal requirements, a range of regulatory obligations and best practice requirements have been established, such as the Algorithmic Transparency Reporting Standard.

Ethical considerations also apply, and it should be recognised that public support for LFR is not universal.

One of the criticisms of South Wales Police in the case of R (On the application of Edward BRIDGES v The Chief Constable of South Wales Police [2020] EWCA Civ 1058 was that the policies in place did not “not sufficiently set out the terms on which discretionary powers can be exercised by the police and for that reason do not have the necessary quality of law”. While the College of Policing has since published its Authorised Professional Practice on Live Facial Recognition, this continues to leave considerable discretion to individual forces in relation to the compilation of watchlists and the location of LFR deployments, as well as the appropriate configuration of equipment. 

Forces proposing to implement LFR therefore need to ensure that, in advance of procuring or leasing the relevant equipment, they undertake a range of legal and regulatory assessments, establish why the use of the technology is strictly necessary and proportionate, develop and publish policies which provide clear parameters for the use of LFR, establish governance and oversight mechanisms, and consult with their Police and Crime Commissioner and the wider public. In particular, Chief Constables should ensure that they have in place:

  • Live Facial Recognition (LFR) Policy Document;

  • LFR Standard Operating Procedure;

  • Data Protection Impact Assessment;

  • Sensitive Processing Appropriate Policy Document;

  • Surveillance Camera Self-Assessment;

  • Community Impact Assessment;

  • Equality Impact Assessment;

  • Collateral Intrusion Risk Assessment (potentially incorporated into wider risk assessments);

  • Human Rights Impact Assessment; 

  • Operational Risk Assessment;

  • Cyber security risk assessment;

  • Algorithmic Impact Assessment;

  • Algorithmic Transparency Report;

  • Data Processing/Sharing/Joint Controller Agreement with supplier/mutual aid force (as applicable);

  • Data retention policy;

  • Live Facial Recognition (LFR) approval records, i.e. LFR application (including sections on specific risks, e.g. children), written authority document of Authorising Officer, authorisation process map/flowchart;

  • Live Facial Recognition (LFR) operational documentation, i.e. Register of LFR Deployments, LFR Deployment Logs, System logs, LFR Cancellation Report; Deployment success assessments etc);

  • Transparency measures, i.e. leaflets, photographs of signage and its location (including in relation to LFR tech), public explainer, privacy policy etc; and,

  • Partnership Protocol with mutual aid force, establishing the requisite governance and accountability arrangements between the partners and documented, detailing obligations and expectations, and the procedures agreed for the resolution of any differences between the parties or changes of circumstance.

The starting point for many of these documents will be the model card for the relevant algorithm, which should be available from the supplier. Considering the efficacy of the tool in real operational conditions will, however, also be necessary in order to understand the limitations of the technology.

Given that many of the assessments identified above will draw on the same baseline information, forces may prefer to conduct an Integrated Impact Assessment, incorporating all of the relevant considerations.  

Should you require support in procuring live facial recognition technologies, in establishing the necessary framework for doing so, drafting risk and impact assessments, or in considering the lawfulness of specific operational use cases and configurations, don’t hesitate to contact us.

Find out more about our data protection and data privacy services.