Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
Project Proposal Name: Live Facial Recognition
Project Sponsor: ACC Andrew Pritchard
Information Asset Owner: DCS Morgan Cronin
DPIA Advisor: Michelle Watson
Date on which processing will commence: 12/08/2024
Date submitted to DPIA Advisor: 29/07/2024
DPO Comments: 29/07/2024
A full DPIA2 is required. This processing involves a number of the areas deemed as potentially high-risk processing to the rights and freedoms of data subjects and as such a full DPIA must be undertaken.
In this section you must explain what the processing is, who it will involve, and the intended impact. You must also demonstrate why the processing is necessary and proportionate, providing evidence to support your assessment.
• The processing must be necessary for the specific objective of the proposal.
• It must also be proportionate, meaning that the advantages resulting from the processing should not be outweighed by the disadvantages to individuals.
Live Facial Recognition (LFR) is a real-time deployment of facial recognition technology, which compares live camera feed(s) of faces against a predetermined watchlist and generates an alert when a possible match is found.
LFR can be a valuable policing tool that helps forces keep the public safe and to meet their common law policing duties, which include the prevention and detection of crime, the preservation of order, and bringing offenders to justice.
The following are illustrative examples where LFR may assist Essex Police achieve their policing purposes:
The technical operation of LFR comprises of the following seven stages:
The LFR application requires a watchlist of reference images against which to compare facial images from the video feed. For images to be used for LFR, they are processed so that the ‘facial features’ associated with their subjects are extracted and expressed as numerical values (a Biometric Template).
The Essex Police LFR policy outlines considerations relevant to lawfully compiling a watchlist including determining which persons may be on a watchlist and the sources of watchlist imagery.
A CCTV camera takes digital pictures of facial images in real time, capturing images as a person moves through the zone of recognition and using it as a live feed. The siting of the CCTV cameras, and therefore the LFR deployment location is important to the lawful use of LFR. The Essex Police LFR policy and standard operation procedure (SOP) provide considerations relevant to the locations Essex Police may select to deploy the cameras when using them for LFR.
Once a CCTV camera used in a live context captures footage, the LFR software detects individual human faces.
Taking the detected face the software automatically extracts facial features from the image, creating the Biometric Template.
The LFR software compares the Biometric Template with those held on the watchlist.
When the facial features from two images are compared the LFR application generates a similarity score. This is a numerical value indicating the extent of similarity, with a higher score indicating greater points of similarity. A threshold value is set to determine when the LFR software will generate an alert to indicate that a possible match has occurred. Trained members of police personnel will review the alerts and make a decision as to whether any further action is required. In this way, the LFR application works to assist police personnel to make identifications rather than acting as an autonomous machine-based process devoid of user input.
The watchlist is bespoke for every deployment and the rationale for the make-up of the watchlist must be intelligence-led, justified, proportionate and necessary, with the nature of the watchlist recorded prior to each deployment.
The candidate images and related biometric template are deleted immediately post deployment and in any case within 24 hours.
The criteria for constructs of watchlists for use with LFR must be approved by the Authorising Officer (the ‘AO’) and be specific to an operation or to a defined policing objective. Watchlists, and any images for inclusion on a watchlist, must also be limited to the categories of image articulated in Force policy documents which are images of people who are:
The inclusion in a watchlist will be deemed strictly necessary to achieving the policing outcome and only when less intrusive means of location have proved unsuccessful.
Each deployment of Live Facial Recognition will be subject to a full Authorising Officer predeployment authorisation report which will clearly define the strictly necessary argument for processing personal data, along with setting out clearly the case for the deployment’s compliance with the College of Policing’s Authorised Professional Practice of being targeted, intelligence led and time bound and geographically limited. That document should be read in conjunction with this DPIA for a full understanding of the specific processing, risk assessment and mitigations applied.
Provide an overview of the categories of personal data that will be processed, for example: names, DOBs, addresses, health data, criminal records, or any other unique identifiers such as IP addresses, usernames, e-mail addresses.
Personal data which is already accessible and processed by the police (images held in Athena by example) will be processed in conjunction with the use of LFR.
This information will be added to a watchlist and uploaded onto live facial recognition software. For images to be used for LFR, they are processed so that the ‘facial features’ associated with their subjects are extracted and expressed as numerical values (a Biometric Template).
CCTV camera takes digital pictures of facial images in real time, capturing images as a person moves through the zone of recognition. The LFR software then detects individual human faces, and automatically extracts facial features from the image, creating a Biometric Template.
The LFR software then compares the Biometric Template with those held on the watchlist. If there is a match, the LFR system will create an alert, resulting in police personnel checking the images to see if they match. If they do, an officer(s) will be sent to engage with the person identified.
Data associated with the person from the watch list, which may include but not is limited to their name, date of birth and address of an individual, will not be included in the actual LFR deployment of facial recognition technology but would be processed in the event of a possible match.
LFR overall deployment will involve various categories of personal data including biometric data for the LFR software, however names, DOB’s, addresses, criminal offence data may be recorded as part of the deployment with data subjects matched and engaged by police. The data will be processed both in relation to those entered onto the watchlist and of those data subjects passing the zone of recognition of the CCTV camera although not all data sets will be captured for all, ie name, address, DOB etc are only relevant to those data subjects on the watchlist, and who officers will engage with if matched. Those data subjects who pass the zone of recognition but are not subject of the watchlist will have their images deleted immediately.
(Select all that apply)
The LFR application does not process specific data related to race or ethnic origin, Essex Police recognise that due to public interest in the system, and the use of images to create a watch list then Essex Police have recognised this special category data here to ensure additional recognition of and protection of the rights and freedoms of data subjects in these categories.
Briefly outline how you will obtain the data, examples include: directly from data subjects, from another data set already in the force’s possession, from a partner agency.
CCTV cameras deployed will capture images / biometric data of people walking passed the camera zone of recognition. Live facial recognition software will then compare that biometric data to the data on the watchlist which is compiled from data already held by Essex Police through lawfully held images such as custody images.
Briefly describe how the data will be used, recorded, and stored and who it will be shared with.
The data obtained will be automatically cross referred against a pre-prepared watch list as explained in 2.1. All other biometric data captured will be deleted immediately. The CCTV feed will be deleted within 31 days.
(Please specify one answer below)
(Please select all applicable categories below)
All categories selected
If other then please provide further details below:
Deployments will be a real time capture of the biometric templates of any individuals who cross the path of the camera therefore a cross section of the general public including all categories will potentially be processed.
The watchlist will be compiled from lawfully held images based on the criteria for the deployment.
It is possible that the personal data of individuals aged under 18 years, those under 13 years, a person with a disability or vulnerable adults will be processed where there is a policing need, and it is deemed to be necessary and proportionate to locate and/or safeguard these individuals.
Will the force collect data that it has not previously collected or had access to?
Yes. The capture of biometric data of data subjects passing the zone of recognition does ultimately mean that the force will be processing data it has not previously collected however, where a data subject is not matched with those on the watchlist, the image is deleted immediately.
For example, can the aim be achieved by using less data or different types of data? Are all categories of data necessary to achieve the aim?
LFR can be a valuable policing tool that helps Forces keep the public safe and to meet their common law policing duties, which include the prevention and detection of crime, the preservation of order, and bringing offenders to justice.
The following are illustrative examples where LFR may assist Essex Police achieve their policing purposes:
LFR can support police officers by efficiently searching for perpetrators of violence in crowded locations where it might otherwise be difficult to locate them.
The challenges presented in locating and arresting offenders should rightly be challenged and with the assistance of technology, more enhanced and cost-effective methods can be called upon to bring those responsible or suspected of offences more quickly to justice.
Those data subjects added to a watchlist, will be subject to strict criteria as set out in the Essex Police policy, and where less intrusive means have proven unsuccessful. The deployment and location will be determined by there being reasonable grounds to suspect that the proposed deployment location is one at which one or more persons on the watchlist will attend at a time, or times, at which they are to be sought by means of LFR.
Weigh the advantages of achieving your purpose against disadvantages to data subjects.
As explained above LFR can have a significant impact in helping the Essex Police achieve their policing purpose by supporting police to arrest those wanted for serious offending, for those who mean to cause serious harm and for those who may be at high risk of harm themselves.
Essex Police understands that LFR is a new technology and there may rightly be concerns from data subjects as to the intrusiveness of the technology. For those not on the watchlist who are in an area where LFR is deployed there will be no impact and minimal intrusiveness except where there is an alert, whereby an officer will compare the images and if necessary, can speak with the identified individual. The signage and information around the target location means that individuals can choose not to be in the vicinity of the LFR technology. For those not on the watch list who do have their biometric data captured, the data is deleted immediately.
To process personal data you must have a lawful basis. Please select the one appropriate lawful basis from the drop down list.
Lawful Basis for Operational Data (Personal data processed for law enforcement purposes):
Lawful Basis for Administrative Data (Personal data processed for non-law enforcement purposes, e.g. for HR or Commercial purposes):
If processing special category data (section 2.3) you must have identified a further lawful condition
Operational Data:
AND
One of the following conditions applies (select from the list):
Administrative Data
It is necessary for one of the following conditions (select from the list):
Choose an item.
OR
AND for the following purpose:
The Essex Police Appropriate Policy Document (APD) sets out how Essex Police complies with data protection legislation in the processing of sensitive and special category data for both law enforcement and general purposes.
All records must have an initial retention period set by the owner of the information when first created or received; review and disposal criteria are defined within W 1012 Procedure/SOP – Records Review, Retention & Disposal.
The Essex Police Appropriate Policy Document (APD) and the Force Policy outlines the retention policy.
(E.g., in paper format, on a different system etc). This data may not currently be captured via a different method.
This is a new system to Essex Police. We will use existing images available to Essex Police from Athena and other police systems to create the watch list.
The data generated by LFR software is not currently captured.
We have not had this technology to utilise previously (other than to trial the technology), therefor traditional policing investigation techniques are currently used to locate those that may be added to watchlist. The EP policy setting out the criteria for being added to a specific watchlist would ensure that there is an assessment of proportionality and necessity will be undertaken before inclusion.
N/A – no records will be collected by an old method.
N/A
If the records you are collating relate to crime investigation, please go to Section 4.2. If they relate to a non-crime function, please go to Section 4.3.
They are not evidential. Any matches between the images captured and the watch list will simply result in an officer approaching the person and conducting a stop check.
Biometric data will be immediately destroyed if there is no match to data on the watch list, and within 24 hours if there is a match.
All CCTV footage generated from LFR Deployments is deleted within 31 days, except where retained:
For example, is a MOPI grouping selected? Is an offence type selected?
Biometric data will be immediately destroyed if there is no match to data on the watch list, and within 24 hours if there is a match.
All CCTV footage generated from LFR Deployments is deleted within 31 days, except where retained:
Consider how long the records are retained – are they retained differently according to MOPI group? Will records be reviewed prior to deletion - if so, how do you know when to review them and who will be completing this? Is any deletion of records automated and if so, please explain how this process works?
The LFR application will create biometric templates of the faces in the watchlist. This will then use a live camera feed to scan faces of individuals in a designated area creating biometric templates of each to compare against those in the watchlist.
The application ‘extracts’ a face from CCTV footage and creates a biometric template and then compares it against a pre-defined watchlist. Every candidate image in the watchlist will also have a biometric template created. In doing so, the application does not save the live CCTV feed, only a particular face if a possible match is made against a candidate image along with a wider CCTV frame from which the image was extracted.
The CCTV feed will itself be saved for 31 days and then deleted.
Not every person that is captured via the CCTV will be enrolled into the application. The face must be of sufficient quality to enrol into the application. The level of enrolment rate will be dependent on many factors, the significant of these include:
It is the intention during each Deployment to allow the LFR application to enrol and therefore process as many individuals as possible, however any processing that does not lead to an alert will be momentary, and the image permanently deleted. No additional information will be attributed to the images of individuals enrolled into the LFR application. The application has a built-in audit trail functionality that ensures images that do not generate a possible match against a candidate image are not retained within it. The watchlist is created via a CSV file which is saved in a secure folder along with the corresponding
candidate images within the force ICT domain. The content of the folder is extracted into the LFR application prior to deployment via a secure file sharing platform.
The maximum retention period for possible match images and the related biometric templates is 24 hours although generally this information is deleted immediately postdeployment.
Please provide relevant policy numbers.
Yes. Force Policy has been written and is currently going through the governance process for publication. An Appropriate Policy Document has been produced to ensure compliance with Data Protection legislation.
(For example, paper copies in casefiles, discs etc)
No
Yes
Please see 4.2.5
Please see 4.2.3
(For example, paper copies in casefiles, discs etc)
No
The Information Commissioner’s Office have published a number of factors that present a ‘high risk’ when processing personal data. Saying yes to one or more of the following may indicate that the processing is high risk and a Stage 2 DPIA is likely to be required.
Does the processing involve:
“Any systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects, or significantly affect the natural person”
Profiling is any form of processing where personal data is used to evaluate certain personal aspects relating to an individual, including the analysis or prediction of an individual’s performance.
Automated decision-making involves making a decision that affects someone by technological means without human involvement, for example issuing speeding fines solely based on evidence captured from speed cameras.
“Processing on a large scale of special categories of data, or personal data relating to criminal convictions and offences referred to in Article 10”
“Systematic monitoring of a publicly accessible area on a large scale”
See section 4.2.3.
“Processing involving the use of new technologies, or the novel application of existing technologies (including Artificial Intelligence)”
Live facial recognition is a relatively new technology in policing.
“Decisions about an individual’s access to a product, service, opportunity or benefit which is based to any extent on automated decision-making (including profiling) or involves the processing of special category data”
“Any processing of biometric data” and/or “any processing of genetic data other than that processed by an individual GP or health professional, for the provision of health care direct to the data subject”
Biometric data can include Facial Recognition technology, fingerprints and is defined as
LFR processes biometric data
“Combining, comparing or matching personal data obtained from multiple sources”
The LFR application will create biometric templates of the faces in the Watchlist. This will then use a live camera feed to scan faces of individuals in a designated area creating biometric templates of each to compare against those in the watchlist.
“Processing of personal data that has not been obtained direct from the data subject in circumstances where providing a Privacy Notice would prove impossibleor involve disproportionate effort”
For example, when gathering data, without the knowledge of the data subject, in the course of a police investigation.
There will be a period of public consultation prior to any deployment as well as clear and overt signage advising members of the public that they are walking into the area scanned by the LFR technology. There is no invisible processing.
“Processing which involves tracking an individual’s geolocation or behaviour,including but not limited to the online environment”
“The use of the personal data of children or other vulnerable individuals formarketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children
For example, the use of personal data relating to children for the purposes of marketing their online safety products.
“Processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals”.
For example, if data relating to CSAE, HUMINT or protected persons data was compromised then it could jeopardise the safety of individuals.
5.12 Evaluation or scoring?
“Aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements” For example, as part of a police recruitment process.
Considerations include:
The cameras to be deployed will capture images of people in the designated camera zone.
Not every person that is captured via the CCTV will be enrolled into the application. The face must be of sufficient quality to enrol into the application. The level of enrolment rate will be dependent on many factors, the significant of these include:
However, it is impossible to say in advance how many persons may walk in view of the camera.
The rights are: