UK needs legislation with specific focus on biometric technologies

by Joseph K. Clark

According to former biometrics commissioner Paul Wiles, Parliament must create legislation that explicitly deals with using biometric technologies in the UK. The former commissioner for the retention and use of biometric material told the House of Commons Science and Technology Committee that while there was currently a “general legal framework” governing biometric technologies, their pervasive nature and rapid proliferation meant a more explicit legal framework was needed.


Referencing the use of various biometric technologies by UK police in particular – including live facial recognition (LFR), voice recognition, and gait analysis – Wiles said the current framework governing their use had “not kept up with the development of new biometrics” and nor had “the government responded to judgments by both domestic courts and the European Court of Human Rights about the inadequacy of that current framework”, some of which “go back almost nine years”.

Wiles further added that while the Information Commissioner’s Office (ICO) could issue opinions or guidance about the use of biometric technologies, as well as intervene if “general data [protection] requirements” are not met during their deployment, specific legislation is needed to properly establish when the tech can and cannot be used, and what uses are acceptable.

biometric technologies

“At the moment, there is a framework that allows the information commissioner to express an opinion, but when it comes to the old biometrics – DNA and fingerprints – it was Parliament that decided legislation,” said Wiles. “That’s what I’m pointing to, that lack of a legislative framework.”

He argued that creating specific legislation for biometrics would clarify “what is in the public interest and therefore acceptable, and what is not in the public interest, and therefore not acceptable”.

In terms of police facial recognition, precisely, Wiles highlighted the retention of custody images in the Police National Database (PND) – which a 2012 High Court ruling found to be unlawful on the basis that the six-year retention period was not proportionate – as a significant problem.

The PND holds roughly 23 million images of people in custody, regardless of whether they were subsequently convicted. It is used as the basis for the “watch lists” police LFR systems to identify people’s faces.

Paul Wiles, former biometrics commissioner

For Wiles, however, the Management of Police Information (MoPI) rules, which govern when certain information like facial images should be deleted, is not clear enough because they give too much discretion to chief officers.

In the event Parliament fails to create specific legislation for biometrics, Wiles suggested “the most obvious thing to do” would be for Parliament to extend the Protection of Freedoms Act (POFA) from 2012, which sets “clear rules… about when DNA and fingerprints must be deleted”, to include how police should deal with facial images.

Private sector biometrics

While most of the Science and Technology Committee’s discussion centered around police use of biometrics, Wiles said the pervasiveness and use of such technologies in the private sector would also need to be addressed by new legislation.

“Public interest in this issue developed very rapidly with the use of live facial recognition by South Wales Police and the Metropolitan Police. There was a public concern…that there wasn’t already a clear legal framework around the use of facial images in this way,” he said, adding it was a “galvanizing event” that brought more attention to the use of LFR by private companies too.

“It will be possible to use live facial recognition purely for a private commercial profit motive interest, without necessarily making the individual aware that it is happening. This is simply the analog of what we’re already seeing in the use made of the data that every day all of us give, not just to big tech companies but the small companies as well, and the fact that they are exploiting that and selling that data on without our understanding.”

Referring to the case of South Wales Police – which the High Court ruled in August 2020 was using LFR unlawfully by not having conducted the appropriate checks for bias and discrimination – Wiles pointed to the fact the tech was provided by a private firm “which refused to disclose what they knew about [the system’s] biases” to the police force, something that would need to be addressed in legislation.

The supplier to South Wales Police and the Metropolitan Police, the Japanese biometrics firm NEC, launched a facial recognition system in January 2021 for identifying people wearing masks.

Since the start of the pandemic, many other biometrics companies from across the globe have been busy updating their facial recognition algorithms to identify people with hidden faces, also in response to the sudden and widespread adoption of masks.

In June 2021, information commissioner Elizabeth Denham said she was “deeply concerned” about the inappropriate and reckless use of LFR in public spaces. This prompted her to publish an official Information commissioner’s opinion to guide companies and public organizations looking to deploy biometric technologies.

In an accompanying blog post, she noted: “It is telling that none of the [private] organizations involved in our completed investigations could fully justify the processing and, of those systems that went life, none were fully compliant with the requirements of data protection law. All of the organizations chose to stop, or not proceed with, the use of LFR.”

A patchwork of legislation

In July 2019, the Science and Technology Committee published a report identifying the lack of legislation surrounding LFR. It called for a moratorium on its use until a framework was in place.

In its official response to the report, which was given after a delay of nearly two years in March 2021, the government claimed: “already a comprehensive legal framework for the management of biometrics, including facial recognition”.

Outlining the framework, the government said it included police joint law powers to prevent and detect crime, the Data Protection Act 2018 (DPA), the Human Rights Act 1998, the Equality Act 2010, the Police and Criminal Evidence Act 1984 (PACE), the Protection of Freedoms Act 2012 (POFA), and police forces’ own published policies.

UK government

“In terms of oversight and regulation, the Information Commissioner’s Office regulates compliance with the DPA, including police use and retention of biometrics, and POFA created the surveillance camera commissioner and biometrics commissioner roles and the Forensic Information Databases Service strategy board, which oversees the police DNA and fingerprint databases,” it said.

“While it is a strong framework, the government recognizes that it is complex for the police and public, and so could arguably inhibit the confident adoption of technologies that can help us improve public safety and keep up with the pace of technological change.”

Responding to the Science and Technology Committee’s questions about whether the government would seek to legislate specifically on biometrics, policing minister Kit Malthouse said: “Obviously, there is a framework at the moment, and that’s been adduced through the courts, but as technology advances, we would like to get to a position where both the police and the public can be confident about the legislative architecture that enables the adoption of future technology.

“Whether that is required through legislation or not is a matter of discussion, but we’ve got a manifesto commitment, so no doubt we’ll bring forward plans before the next election.” Malthouse was asked for a more specific timeline but could not provide one.

Related Posts