Written evidence submitted by Surveillance Camera Commissioner (WBC0002)

The submission by the SCC predominantly focuses on the use of automatic (live) facial recognition (AFR) and technology utilising video surveillance technology.

Executive summary

This submission sets out the following points:

• A clearer legal framework outlining how Automatic Facial Recognition (AFR) can be deployed would support law enforcement practitioners.
• A clear, well-regulated framework, exists for covert surveillance usage (Regulation of Investigatory Powers Act 2000 (RIPA)) and that overt use of such advancing technology (AFR) is arguably more invasive than some covert surveillance techniques.
• The police/Home Office/National Police Chiefs’ Council should develop a suite of standards covering deployment, type of approval of equipment and performance criteria akin to that which exists for Automatic Number Plate Recognition (ANPR) technology.
• The Surveillance Camera Commissioner (SCC) has produced a guidance document for police use of AFR. It is drafted with due consideration to the strict regulation covering the use of directed surveillance under RIPA. It is for Government and Parliament to decide if the potential for intrusion of this technology requires similar governance structures and supporting legislation.
• NPCC/Home Office need to develop a single narrative that effectively counters the erroneous reporting concerning the reliability of the technology. The current police pilots rely upon human intervention assisted by technology. This is overlooked in the assessment of the efficiency of AFR by critics of the technology. They hone in on the autonomous nature of matching faces passing a camera to a pre-determined watchlist ignoring the fact there is always human intervention before a possible ‘match’ is approached.
• Whilst the use of AFR by police is merit worthy of focussed debate, it is used much more widely amongst the commercial sector which is less well regulated.
• Police/private partnerships can create added complications in terms of legitimacy of use.
• Police use of AFR under the auspices of a ‘pilot programme’ need to be clearly defined if public trust and confidence is to be maintained. The terms of pilots need to be clearly defined.
• Evaluation methodologies need to be clear and independent. Transparent reporting in the public eye would bolster trust and confidence in its use.
• The Home Office Biometrics Strategy reported that the Surveillance Camera Code of Practice (the Code) would be revisited and refreshed as a key deliverable. This must be advanced and ensure clear and direct guidance is provided within it for the use of advancing technologies as stated within the Code and Protection of Freedoms Act 2012 (PoFA) itself.

Background

The Protection of Freedoms Act 2012 (PoFA) and the Surveillance Camera Commissioner (SCC)

1.1        PoFA created the role of the Surveillance Camera Commissioner (SCC) and required the Secretary of State to issue a Surveillance Camera Code of Practice. The Code differentiates between the use of overt surveillance cameras and covert surveillance, the latter being exclusively the domain of RIPA and regulatory focus of the Investigatory Powers Commissioner. The Code also recognises the Data Protection Act (DPA) consideration relevant to the management of personal data when using surveillance camera systems and has woven the DPA within its content. The Code provides a ‘whole system’ approach to the provision of guidance on surveillance cameras and systems connected to them. Police forces (and local authorities) in England and Wales MUST pay regard to the Code by virtue of Section 33(1) PoFA.

1.2        Significantly, the Code, issued in 2013, anticipated the use of facial recognition and other technology enhanced capabilities integrated with the surveillance camera systems it regulates and therefore provided the following additional guidance:

Paragraph 2.3; “…that is not to say that all surveillance camera systems use technology which has a high potential to intrude on the right to respect for private and family life. Yet this code must regulate that potential, now and in the future.”

Paragraph 4.8.1. (Principle 8) – “Approved standards may apply to the system functionality, the installation and the operation and maintenance of a surveillance camera system. These are usually focused on typical CCTV installations, however there may be additional standards applicable where the system has specific advanced capability such as ANPR, video analytics or facial recognition systems, or where there is a specific deployment scenario, for example the use of body-worn video recorders.”

Paragraph 4.12.1 (principle 12) – “Any use of technologies such as ANPR or facial recognition systems which may rely on the accuracy of information generated elsewhere such as databases provided by others should not be introduced without regular assessment to ensure the underlying data is fit for purpose.”

1.3        The following comments relate specifically to my regulatory role and the issues within the Biometrics Strategy that relate to the use of biometric technology in conjunction with video surveillance systems:

i)        The SCC will oversee the police use of AFR. Under Section 35(5) of PoFA – the police are a Relevant Authority and have a duty to ‘pay regard to the Surveillance Camera Code of Practice’.

ii)      AFR is classed as part of a video surveillance camera system under Section 29(6) of PoFA and is taken to include:

Closed circuit television (CCTV) or automatic number plate recognition (ANPR) systems (b) any other systems for recording or viewing visual images for surveillance purposes; (c) any systems for storing, receiving, transmitting, processing or checking the images or information obtained by (a) or (b) ; (d) any other systems  associated with, or otherwise connected with (a), (b) or (c).

iii)    Para 2.2 of the Code recognises the impact of advancing technology “this code must regulate that potential, now and in the future”

iv)    The consequences of failing to ‘pay due regard’ to the Code is a matter subject to formal disclosure proceedings at any tribunal. Crown Prosecution Service have updated their Disclosure Manual Guidance[1] to reflect these requirements.

v)     Each police force in England and Wales now has a Senior Responsible Officer accountable for compliance with PoFA and for reviewing every surveillance system operated within that force to ensure compliance with the Code.

Role of the SCC in relation to AFR

1.4        Para 3.2.3 of the Code provides specific guidance in relation to use of this technology:

‘Any use of facial recognition or other biometric characteristic recognition systems needs to be clearly justified and proportionate in meeting the stated purpose and be suitably validated.’

1.5        The Code provides that the SCC will be a source of advice on such systems. This requirement is expanded upon at para 4.8.1 to 4.8.4. Validation should be interpreted as meaning ensuring that such technology is utilised in accordance with the Code.

1.6        Chapter 5 of the Code outlines the methodology the SCC is expected to adopt:

i)                 Engaging with fellow regulators

ii)               Review the operation of the code

iii)             Provide advice and information to the public

iv)             Establish a non-statutory advisory council

Current Position

1.7        Following the establishment of the role of SCC the awareness of the requirements across all Relevant Authorities to comply with the Code is now assured.

1.8        The SCC wrote to Chief Officers of Police in November 2017 reminding them of their responsibilities under PoFA in relation to AFR, thereby energising the NPCC. He worked with South Wales Police and the Metropolitan Police Service, has written to Ministers on the subject, addressed the Metropolitan Police Ethics Committee and addressed Taylor Wessing National data conference directly considering a future paradigm for the use and regulation of AFR. Additionally the SCC has been active on social media, via his blog and other main stream media outlets in relation to new and emerging technology. The SCC and the Centre for Research into Information, Surveillance and Privacy held a citizen engagement event at the London School of Economics in 2018 which focused on the use of AFR and impact on the citizen[2].

1.9        To enable the SCC to effectively fulfil his statutory functions he has established a National Surveillance Camera Strategy for England and Wales[3]. This provides a mission and vision statement and very clear oversight, direction and transparency. It includes a detailed delivery plan with objectives and milestones. It underwent a detailed and comprehensive consultation phase and was endorsed and supported by government, industry, privacy groups and end users. The use of AFR falls within the Strategy across the strands – horizon scanning, regulatory involvement, police and particularly citizen engagement.

1.10   The delivery areas led by industry experts are as follows;

i)                 Standards and certification

ii)               Horizon scanning

iii)             Civil engagement

iv)             Policing

v)               Local authorities

vi)             Voluntary adopters (non-police/local authority organisations)

vii)           Critical national infrastructure

viii)         Installers, manufacturers and designers

ix)             Training

x)               Regulation

xi)             Human Rights, Data and Technology

1.11   In relation to this strategy and to fulfil his obligations within PoFA, the SCC has produced and circulated a guidance document to police forces across UK relating to the use of AFR.[4]

1.12   This guidance document was circulated in advance to the Biometrics Commissioner, Forensic Science Regulator, Information Commissioner’s Office and Investigatory Powers Commissioner’s Office. It was subsequently forwarded to the Chair of the Law Enforcement Facial Images and New Biometrics Oversight and Advisory Board. The SCC holds the view that, given the nature of advancing technology such as AFR, that regulators ought to consider methods of harmonising advice for end users into a single document.

What constitutes validation under the Protection of Freedoms Act 2012

1.13   The SCC may expect that the following considerations have been properly considered and addressed by a police force deploying AFR capabilities (in addition to the 12 Guiding Principles within the Code and the guidance issued by SCC above).

Legitimacy

1.14   In the first instance the organisation should be clear and transparent as to the legal basis upon which they seek to rely to justify the use of AFR. There is a legislative framework which accommodates aspects of use of AFR (e.g. Common Law, Data Protection Act 2018, RIPA, PoFA, Freedom of Information Act, Counter Terrorism Act 2008) however there is an argument that this does not necessarily amount to being sufficiency of ‘a basis in law’ to the satisfaction of the European Convention of Human Rights (ECHR).

1.15   Where the intended use of AFR is overt, the deployment should have clear aims and objectives and a clear and accountable command structure which accords with police practice (Bronze Silver Gold).

1.16   ‘The legitimacy’ of the use of AFR should be documented and auditable. The case of legitimacy should include the following:

1. Necessity – The use of AFR should only be considered where it is believed to be necessary on legitimate and clearly stated grounds/purpose (prevent/detect serious crime, public safety etc).
2. Proportionality – If believed necessary then it must be believed that that the use of AFR is proportionate to what is sought to be achieved. In that regard the RIPA standard may be considered in the absence of other relevant guidance:

• balancing the size and scope of the proposed activity against the gravity and extent of the perceived crime or offence;
• explaining how and why the methods to be adopted will cause the least possible intrusion on the subject and others;
• considering whether the activity is an appropriate use of the legislation and a reasonable way, having considered all reasonable alternatives, of obtaining the necessary result;
• evidencing, as far as reasonably practicable, what other methods had been considered and why they were not implemented.

3. An assessment should be conducted of the intended and collateral intrusion risks together with an action plan which sets out how those risks are to be mitigated.

Protection of Freedoms Act

1.17   The use of AFR should be in accordance with PoFA and a Self-Assessment Tool (published on SCC website)[5] completed for the use of the system for each operation. This should be kept under consideration and amended where circumstances change.

Data Protection

1.18   The management of those considerations which fall to be applied in respect of the management of personal data should accord with the Data Protection Act 2018 and be in accordance with guidance provided by the Information Commissioner’s Office Code of Practice ‘In the Picture’[6] and any other relevant guidance provide by the ICO.

1.19   Additional responsibilities and considerations fall to be applied where biometric data is concerned arising from new data protection legislation. Guidance and tools provided by the ICO should be considered in that regard.

1.20   The use of AFR should accord with any professional practice or other guidance provided by National Policing College guidance/standards/strategy.

Digital Forensic Considerations

1.21   The type approval of the equipment to be employed should be appropriately considered so that the full capabilities of the system to intrude and its functional reliability, integrity and evidential credentials are fully understood, and risk assessed. Due consideration should be given to the Codes of Practice and Conduct, Standards for Forensic Science Providers and Practitioners in the Criminal Justice System. This is provided by the Forensic Science Regulator in respect of digital forensic matters[7].

1.22   It is not satisfactory for the police to avoid those standards by seeking to differentiate between ‘intelligence’ deployments and ‘evidential’ deployments. Whereas the intended distinction is understood in operational terms, from a legal perspective there is no difference. All deployments are potentially of an evidential nature and should be treated as such as they are capable of having relevance to judicial proceedings. AFR deployments form the basis of decisions and actions and therefore may become a disclosable consideration pursuant of Criminal Procedures and Investigations Act 1996 where they are made.

RIPA and Covert Surveillance

1.23   Prior to any deployment taking place, any intended operational use of AFR should be considered by the force authorising officer for RIPA to determine whether such use is covert and therefore requiring of an authorisation under the provisions of that legislation. Where such use is authorised in accordance with RIPA it will thereafter be managed in accordance with longstanding provisions and practices and regulated by the Investigatory Powers Commissioner[8].

The Biometrics Strategy

Vision statement:

Continuing to implement the Custody Images Review and ensuring that the Surveillance Camera Commissioner (SCC) and Information Commissioner’s Office (ICO) guidance on the use of images is followed;  Building a wider facial image sharing and matching platform, including increased sharing and matching of facial images from existing government collections; and Improving oversight for police use of facial images and automatic facial recognition (AFR), creating a new Board to enable greater coordination and transparency on these issues.

1.24   The aspiration of the Strategy ought to focus on some pressing concerns that have been picked up throughout citizen engagement within the National Surveillance Camera Strategy (England and Wales) concerning use of this technology.

1.25   This vision statement should focus on the considerable opportunities to society and law enforcement if this technology were to be harnessed in such a way that citizen support was absolute. The Home Office should ensure that any application of AFR by the State will reflect the highest standards on equipment utility, type approval, auditing standards, governance and transparency. To ensure the soaring opportunities of new and advancing technologies are maximised whilst developing a rigorous approach to ensuring the balance between public security and privacy is maintained.

1.26   The SCC has made the point and drawn the parallel between this technology and that of the use of ANPR systems. He has provided critical analysis on the standards, governance and transparency applied by NPCC concerning these matters. Subsequently we have seen the introduction of new ANPR National Standards, reduction of the data retention by the police from two years to one and introduction of the National ANPR Independent Advisory Group which the SCC was asked to Chair by NPCC. There are clear parallels here that ought to be drawn upon to support the development of this Strategy.

1.27   Evidence of lack of understanding concerning the capability and capacity of the AFR system is evident amongst the public and even commentators on its use. A confusion exists concerning the meaning of the performance data and lack of recognition that is integral to the system is the human element that supports its use and provides dynamic assessments of its results. A single narrative ought to be developed within the strategy that provides that information. Failure to do so undermines the efforts being taken to use the technology in the first place.

Police Use of AFR Increasingly Linked to Commercial/Retail Sector

1.28   It is foreseeable that there will be an increasing use or desire for the shared use of this technology between police and the commercial sector. The SCC has expressed concern that much regulatory focus is placed upon the police yet the sheer volume of increasing use of this technology is being promulgated by the commercial sector. 

1.29   The police are more visible, and their use of advancing technology may attract more focus however there is a danger in focusing solely upon those organisations endeavouring to keep us safe, who are easier to place in scope of close scrutiny than perhaps businesses, shopping centres or an ever-increasing variety of users.

1.30   In October 2018 the SCC reported on a regulatory intervention made between Intu (Trafford Centre, Greater Manchester) and Greater Manchester Police (GMP). The SCC had become aware of use of AFR technology in partnership between the two organisations.

1.31   A ‘Watch List’ of a small number of people had been compiled by GMP (comprising of people missing from home and people circulated as ‘wanted on the Police National Computer).

1.32   The technology had been in use for 6 months and approximately 18 million people would have been subject to electronic profiling under the AFR system at this large retail shopping centre. If no positive ‘hit’ was activated by comparison between a shopper and the Watch List, the data was disposed of immediately. The questions the SCC asked the legal teams representing both organisations were;

i)             Is this necessary?

ii)           Is this proportionate?

iii)         What is the legislative foundation you are operating on?

1.33   Both organisations thought it appropriate to step back, seek further legal advice and understanding as to the use of such potentially invasive technology. The concerns at the time focussed upon the following issues:

i)             What terms were the Watch List developed against?

ii)           Which organisation owned the list?

iii)         What were the operational intervention policies?

iv)         Had lawyers assessed the scheme against all relevant legislative requirements?

v)           Was it proportionate?

vi)         Was it necessary?

vii)       What technology was being used?

viii)     What were the standards applied to its use?

ix)         Did the commercial end to the partnership have clear understanding how to manage complaints and Subject Access Requests?

x)           Were senior police commanders properly engaged in this surveillance?

xi)         How transparent was the use of this technology and the linkage between police and private sector?

1.34   The relationship between private and state surveillance will continue to grow. Regulators need to be alert and ensure adequate advice and support is available.

Legislation

1.35   It might be helpful to consider the legislation that covers covert surveillance used by public authorities with a mandate to use such techniques under the Regulation of Investigatory Powers Act 2000.

1.36   There is a clear basis in law for covert surveillance to be conducted, provided by the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016. There are provisions for independent judicial oversight and approval with a clear regulatory framework within the relevant legislation, which prescribes governance in so far as authorisation levels for covert surveillance activity is concerned. Also required are the key principles to be considered and recorded within specified timescales to ensure constant review together with an inspection regime, which scrutinises compliance in respect of every public authority that has powers vested in it to conduct covert surveillance. This results in reports and recommendations being considered by senior officers and judicial figures alike.

1.37   That is a regime that has stood the test of time – 17 years – and is necessary because of the degree of intrusion that covert surveillance causes, and the use of technologies involved. But arguably, overt surveillance is becoming increasingly intrusive on the privacy of citizens; in some cases, more so than aspects of covert surveillance because of the evolving capabilities of emerging technologies. It may be AFR today but what about augmented reality, gait analysis, behavioural analysis, lip-reading technology and whatever else may be around the corner? Technology can enable overt surveillance camera systems to harvest an exceptionally detailed picture of your private and personal information, in some cases far better than a surveillance officer covertly following you to the supermarket. The point is this – there is a clear legal and regulatory framework to underpin covert surveillance. There is a more complex legal framework that underpins overt surveillance activity, which includes common law, the DPA, the PoFA, the Freedom of Information Act 2000 and the Counter Terrorism Act 2008.

1.38   The Data Protection Act 2018 alone does not provide a basis in law for use of this technology nor does the completion of a Data Protection Impact Assessment (DPIA). It does however provide a framework for the management of data so collected. The DPIA requires that a specific legal purpose be identified. That cannot be the Data Protection Act in these circumstances.

1.39   The utility of this type of equipment is potentially so important to law enforcement the SCC will continue to argue that a solid legal framework for its use, aside from the arguably more fluid framework of common law jurisprudence, would support policing in their difficult task of melding new technology with ancient laws. The SCC has made similar arguments for the use of ANPR – arguably the largest non-military database in use in the UK.

Conclusion

1.40   The Human Rights Act 1998 gives effect in UK law to the rights set out in the European Convention of Human Rights (ECHR). Amongst the qualified rights is a persons’ right to respect for private and family life, home and correspondence (Article 8).  This is a qualified right – meaning it is permissible for the state to interfere with the right provided that the interference is in pursuit of a legitimate aim and the interference is proportionate.

1.41   The use of facial recognition technology introduces the prospect of other rights being infringed – freedom of assembly, freedom of expression, protection from discrimination and right to liberty and security. New technology challenges the legal basis or legal justification of this technology. Automatic Number Plate Recognition Systems (ANPR), facial recognition systems and other forms of integrated technology are becoming hardwired into our society.

1.42   Indeed, as long ago as 2016, in his annual report for that year, the SCC reported upon the potential for a new paradigm to provide regulation for this new world of overt surveillance:

‘The advent of integrated surveillance technologies (cameras, sensors, analytics, biometrics, smart systems) means that the ability of the state and indeed the commercial sector to physically and intrusively track the citizen in public spaces is well and truly upon us and may in future, point to the requirement ... for an overarching style of regulation of open source surveillance.’

1.43   Integrated surveillance camera systems can provide new ways of protecting citizens in a world where concerns about terrorist atrocities are sadly becoming more prevalent. Greater debate around the capabilities and integration of those systems and their operation by both public and private sectors need to be held. The public need to have confidence that operators of these systems can be trusted to use them lawfully, proportionately, ethically and only where their use is legitimately needed.

1.44   The Biometrics Strategy needs to reflect that in a digital high density modern population the police have to act lawfully, ethically and in justifiable circumstances when they are intruding on fundamental freedoms. Surveillance in all its forms – including AFR enabled is an intrusive investigatory power which goes beyond data processing (with the inherent risk of a fine and order to stop processing). There are already principles of necessity, proportionality and collateral intrusion, considerations which the police and other public authorities have been very accustomed to adopting in their surveillance activities, particularly when those covert activities amount to covert surveillance.

1.45   The state is in the foothills of persuading the public that there is a sufficiently robust regulatory regime in place to provide public reassurance. The SCC is delighted that the Crown Prosecution Service have now incorporated into its Manual of Disclosure the requirement for relevant authorities to comply and be seen to comply with the Code. The SCC believes that the government need to back up its promise to review that Code and strengthen it in light of these new challenges.

1.46   The overarching question is surely this – is the use of AFR in itself overt surveillance and if so, whether PoFA and the Code, which addressed AFR, provides a basis in law for overt AFR and if not, whether the wider statutory framework for overt surveillance provides that sufficiency?

March 2019