The Information Commissioner’s Office (ICO) has completed its first-ever data protection audit of UK police forces deploying facial recognition technologies (FRT), noting it is “encouraged” by its findings.
The ICO’s audit, which investigated how South Wales Police and Gwent Police are using and protecting people’s personal information when deploying facial recognition, marks the first time the data regulator has formally audited a UK police force for its use of the technology.
According to an executive summary published on 20 August, the scope of the facial recognition audit – which was agreed with the two police forces beforehand – focused on questions of necessity and proportionality (a key legal test for the deployment of new technologies), whether its design meets expectations around fairness and accuracy, and whether “the end-to-end process” is compliant with the UK’s data protection rules.
“We are encouraged by the findings, which provide a high level of assurance that the processes and procedures currently in place at South Wales Police and Gwent Police are compliant with data protection law,” said the deputy commissioner for regulatory policy, Emily Keaney, in a blog post.
“The forces made sure there was human oversight from trained staff to mitigate the risk of discrimination and ensure no decisions are solely automated, and a formal application process to assess the necessity and proportionality before each LFR deployment,” she wrote.
The executive summary added that South Wales Police and Gwent Police have “comprehensively mapped” their data flows, can “demonstrate the lawful provenance” of the images used to generate biometric templates, and have appropriate data protection impact assessments (DPIAs) in place.
It further added that the data collected “is adequate, relevant and limited to what is necessary for its purpose”, and that individuals are informed about its use “in a clear and accessible manner”.
However, Keaney was clear that the audit only “serves as a snapshot in time” of how the technology is being used by the two police forces in question. “It does not give the green light to all police forces, but those wishing to deploy FRT can learn from the areas of assurance and areas for improvement revealed by the audit summary,” she said.
Commenting on the audit, chief superintendent Tim Morgan of the joint South Wales and Gwent digital services department, said: “The level of oversight and independent scrutiny of facial recognition technology means that we are now in a stronger position than ever before to be able to demonstrate to the communities of South Wales and Gwent that our use of the technology is fair, legitimate, ethical and proportionate.
“We welcome the work of the Information Commissioner’s Office audit, which provides us with independent assurance of the extent to which both forces are complying with data protection legislation.”
He added: “It is important to remember that use of this has never resulted in a wrongful arrest in South Wales and there have been no false alerts for several years as the technology and our understanding has evolved.”
Lack of detail
While the ICO provided a number of recommendations to the police forces, it did not provide any specifics in the executive summary beyond the priority level of the recommendation and whether it applied to the forces’ use of live or retrospective facial recognition (LFR or RFR).
For LFR, it said it made four “medium” and one “low” priority recommendations, while for RFR, it said it made six “medium” and four “low” priority recommendations. For each, it listed one “high” priority recommendation.
Computer Weekly contacted the ICO for more information about the recommendations, but received no response on this point.
Although the summary lists some “key areas for improvement” around data retention policies and the need to periodically review various internal procedures, key questions about the deployments are left unanswered by the ICO’s published material on the audit.
For example, before they can deploy any facial recognition technology, UK police forces must ensure their deployments are “authorised by law”, that the consequent interference with rights – such as the right to privacy – is undertaken for a legally “recognised” or “legitimate” aim, and that this interference is both necessary and proportionate. This must be assessed for each individual deployment of the tech.
However, beyond noting that processes are in place, no detail was provided by the ICO on how the police forces are assessing the necessity and proportionality of their deployments, or how these are assessed in the context of watchlist creation.
Although more detail on proportionality and necessity considerations is provided in South Wales Police’s LFR DPIA, it is unclear if any of the ICO’s recommendations concern this process.
While police forces using facial recognition have long maintained that their deployments are intelligence-led and focus exclusively on locating individuals wanted for serious crimes, senior officers from the Metropolitan Police and South Wales Police previously admitted to a Lords committee in December 2023 that both forces select images for their watchlists based on crime categories attached to people’s photos, rather than a context-specific assessment of the threat presented by a given individual.
Computer Weekly asked the ICO whether it is able to confirm if this is still the process for selecting watchlist images at South Wales Police, as well as details on how well police are assessing the proportionality and necessity of their deployments generally, but received no response on these points.
While the ICO summary claims the forces are able to demonstrate the “lawful provenance” of watchlist images, the regulator similarly did not respond to Computer Weekly’s questions about what processes are in place to ensure that the millions of unlawfully held custody images in the Police National Database (PND) are not included in facial recognition watchlists.
Computer Weekly also asked why the ICO is only beginning to audit police facial recognition use now, given that it was first deployed by the Met in August 2016 and has been controversial since its inception.
“The ICO has played an active role in the regulation of FRT since its first use by the Met and South Wales Police around 10 years ago. We investigated the use of FRT by the Met and South Wales and Gwent police and produced an accompanying opinion in 2021. We intervened in the Bridges case on the side of the claimant. We have produced follow-up guidance on our expectations of police forces,” said an ICO spokesperson.
“We are stepping up our supervision of AI [artificial intelligence] and biometric technologies – our new strategy includes a specific focus on the use of FRT by police forces. We are conducting an FRT in Policing project under our AI and biometrics strategy. Audits form a core part of this project, which aims to create clear regulatory expectations and scalable good practice that will influence the wider AI and biometrics landscape.
“Our recommendations in a given audit are context-specific, but any findings that have applicability to other police forces will be included in our Outcomes Report due in spring 2026, once we have completed the rest of the audits in this series.”
EHRC joins judicial review
In mid-August 2025, the Equality and Human Rights Commission (EHRC) was granted permission to intervene in an upcoming judicial review of the Met Police’s use of LFR technology, which it claims is being deployed unlawfully.
“The law is clear: everyone has the right to privacy, to freedom of expression and to freedom of assembly. These rights are vital for any democratic society,” said EHRC chief executive John Kirkpatrick.
“As such, there must be clear rules which guarantee that live facial recognition technology is used only where necessary, proportionate and constrained by appropriate safeguards. We believe that the Metropolitan Police’s current policy falls short of this standard.”
He added: “The Met, and other forces using this technology, need to ensure they deploy it in ways which are consistent with the law and with human rights.”
Writing in a blog about the EHRC joining the judicial review, Chris Pounder, director of data protection training firm Amberhawk, said that, in his view, the statement from Kirkpatrick is “precisely the kind of statement that should have been made by” information commissioner John Edwards.
“In addition, the ICO has stressed the need for FRT deployment ‘with appropriate safeguards in place’. If he [Edwards] joined the judicial review process as an interested party, he could get judicial approval for these much vaunted safeguards (which nobody has seen),” he wrote.
“Instead, the ICO sits on the fence whilst others determine whether or not current FRT processing by the Met Police is ‘strictly necessary’ for its law enforcement functions. The home secretary, for her part, has promised a code of practice which will contain an inevitable bias in favour of the deployment of FRT.”
In an appearance before the Lords Justice and Home Affairs Committee on 8 July, home secretary Yvette Cooper confirmed the government is actively working with police forces and unspecified “stakeholders” to draw up a new governance framework for police facial recognition.
However, she did not comment on whether any new framework would be placed on a statutory footing.
Source link
