Response of the Biometrics and Surveillance Camera Commissioner to the ICO consultation on the draft biometric data guidance (accessible)
Published 14 September 2023
12 September 2023
I am grateful for the opportunity to comment on the ICO’s consultation on its draft biometric data guidance in my capacity as Biometrics and Surveillance Camera Commissioner. I do not intend to address individual questions posed on the consultation, rather will raise some high-level points where I see crossovers in my work and that of the ICO, and where there will be a shortfall in oversight brought about by the Data Protection and Digital Information Bill.
The Data Protection and Digital Information Bill, which will resume its passage through Parliament in the autumn, seeks to reform the oversight landscape for biometrics and surveillance technology so far as it applies to policing and local authorities, and is based on the premise that public space surveillance is simply a subset of wider data protection and privacy. If Parliament accepts that premise, the ICO as the UK’s data protection authority will be expected to step in to fill the gap, not only where matters would otherwise fall to the Surveillance Camera Commissioner and compliance with the Surveillance Camera Code, but also where far wider gaps in the current arrangements have left the most prolific users of public space surveillance systems (transport, hospitals, universities and even central government) without specific regulation.
In my response to the ICO25 consultation last year, I highlighted the need for such guidance to extend to processing for law enforcement purposes and processing by the security and intelligence agencies, under Parts 3 and 4 of the DPA respectively[footnote 1]. It is encouraging that the ICO has worked to identify some of the material uses of personal data in biometric surveillance, and this guidance should be seen as a first step in providing guidance on their lawfulness in light of requirements under the relevant legal framework. However, further consideration must be given to putting in place guidance for specific data processing under Parts 3 and 4 (and also Schedule 14), which in turn will ensure clear guidance underpins the development and eventual deployment of new biometric surveillance technologies.
This guidance is a missed opportunity to start plugging the oversight and guidance gap caused by the abolition of the biometrics oversight role I currently fulfil, and the government’s silence on where responsibility will subsequently lie accompanying those changes. If the decision is not to develop this guidance, then the ICO must stand ready to provide practical, timely advice when called upon by developers and deployers.
I also have reservations that the ICO’s guidance is not, in their words, intended to be a comprehensive guide to compliance when using biometric data. Future regulation and oversight ought to reflect both the potential and the risk, and it will be vital that the ICO work with the Forensic Science Regulator and others to understand the challenges and opportunities around biometric surveillance, and which organisation is better suited to deliver the guidance that is needed. While the Information Commissioner’ s role is itself substantially altered by the current Bill’s provision, there are greyer areas where regulatory responsibility is not clear cut, particularly as new technologies develop.
While the state’s use of biometric surveillance technology plainly engages individual data rights, it is well documented that some of the key issues giving rise to public trust and confidence considerations go beyond data protection and therefore, by extension, beyond the current remit of the ICO. These issues must be addressed to achieve the aspirational clear regulatory landscape, and provide developers and practitioners with the clear guidance they need.
Yours sincerely
Professor Fraser Sampson
Biometrics and Surveillance Camera Commissioner