Regular readers of my blog will know that the Home Office published their Biometric Strategy in June and in doing so established a new board (which I sit on) to develop that strategy.
A key challenge for me in participating in the board is to retain my independence and ability to act as a voice and conscience for the public good. This blog is an ingredient of my commitment to fulfilling that objective.
The board is chaired by Chief Constable Mike Barton (head of the National Police Chiefs’ Council crime coordination committee) and is attended by scientists, practitioners, regulators and Home Office officials – an eclectic mix that is developing a challenging agenda. I have absolute confidence in Mike’s determination to ensure that policing and the public are lawfully, ethically and effectively served by the best new biometric technologies.
For my part I continue to emphasise the importance of regulators working together on ensuring the lawful use of automatic facial recognition technology (AFR).
As regulators we must prevent the risk of sending confused messages to those we regulate. We must advise in a holistic fashion and not against our narrow regulatory interests. We must understand the risks, opportunities and threats this advanced technology presents. We mustn’t default to using potentially invasive technology simply because we can nor must we shy away from the potential societal and security benefits it can bring.
In the context of law and regulation, the conduct of surveillance is a more holistic issue than simply a biometric consideration alone, much broader than a data processing consideration, much deeper than a forensic consideration and certainly a more human rights intrusive issue than just the right to privacy. All of these have to be equally, demonstrably and transparently addressed by those considering the use of systems such as AFR.
To give you an example – I was approached by a private organisation who were using AFR. They don’t legally have to comply with the Protection of Freedoms Act or the Surveillance Camera Code of Practice as they aren’t a relevant authority as set out in the Act (police forces and local authorities). They did want to comply with best practice. They were confident in their approach having worked through the prism of the new Data Protection legislation to deliver the necessary Data Protection Impact Assessment (DPIA).
When it became apparent that the police (a relevant authority) were working with this company my regulatory interests were fully engaged. The police were interested in a tool that could help identify people missing from home and people wanted for crimes. However, compared to the size and scale of the processing of all people passing a camera the group they might hope to identify was miniscule. The proportionality of the enterprise was effectively placed under due legal consideration.
To their immense credit, the police engaged with my office before proceeding, and convened a meeting with lawyers, force command and retail security at my behest. At this point the police have stepped back from engagement having recognised that their approach is not currently proportionate – processing millions of people via this facial recognition system. Reducing one ‘face’ into a digital signature for comparison with a watch list is ‘processing’.
Equally the company involved were unaware of the responsibilities they would inherit when forming a partnership with the police force in question – Freedom of Information Act obligations, accountability with the Crime and Disorder Act, and obligations under the Criminal Investigations and Procedure Act to name but a few. The company have too ceased using AFR pending further enquiries, regulatory engagement and a possible revamp of their DPIA. I am pleased that my regulatory intervention has caused these organisations to reflect on legitimacy of its use.
So, what’s my message? My fellow regulators and I need work together to help guide organisations in what is becoming an increasingly complex issue. The risk of well-intended but badly executed practice may form within the regulatory gaps and overlaps which exist and more examples may come across my desk.
I am of course delighted that the police have understood this for some time and under the leadership of Mike Barton are making progress. I am firmly of the view that any regulatory guidance document published would be best served, under current legislation, as a shared endeavour between respective regulators.
The Home Office board should help with these endeavours. Providing strong advice, strong guidance met by a mature and sensible response from those using new biometric technologies as set out in the example in this blog.