Is The Co-Op Living Under A Rock?

By Myles Dacres

The Outsourced DPO came across a story this morning that stated the Co-Op has been using Facewatch FR, a facial recognition technology, in 18 of their stores for the last 18 months.

After further research, the Outsourced DPO came across an article posted on   The source of the story is an article written by Graham Lewis, the Co-Op’s Loss Prevention Officer at the Southern Co-Op that is posted on the Facewatch website

In this article Mr Lewis states that all of the Co-Ops customers have been made aware of the use of FR through distinctive signage and the Co-Op has ensured that the system is configured to, “not store images of customers unless they have been identified in relation to a crime.”  He says that this ensures their processing is GDPR compliant!  Oh great… that must be ok then! Apparently, the system alerts store teams immediately when someone enters their store who has a past record of theft or anti-social behaviour giving Co-Op’s teams time to decide on the best course of action which is, according to Mr Lewis, “incredibly important”.  More important it would seem than the rights of everyone else using the Co-Op.

Earlier this year the Court of Appeal ruled that the use of automatic facial recognition (AFR) by South Wales Police was unlawful.  Whilst the Court found that the use of AFR was a proportionate interference with human rights and that the benefits outweighed the impact on individuals, the judgement was in respect of the use of AFR by a law enforcement agency.  How widespread the use of FR is in private companies is not known – but it’s worrying that the Co-Op has been using this system for 18 months.

From a GDPR perspective, providing the distinctive signage Mr Lewis reference is only the tip of the iceberg.  Let’s assume that this distinctive signage contains all of the information required of privacy information, it makes one wonder what the lawful basis for processing is.  It can only be legitimate interests.  None of the other options available in Article 6 could possibly apply as the processing in question is being carried out for the private interests of the Co-Op.  If the Co-Op believes that it is carrying out a task in the public interest and that the use of AFR is necessary for them to undertake this task – the Outsourced DPO would like to see the data protection impact assessment where the lawful grounds were considered.  So if it’s processing based on legitimate interest – presumably there is also a legitimate interest assessment as well as a data protection impact assessment?

The privacy notice on the Co-Op’s website makes no mention of automated processing or AFR  If appropriate privacy information is provided locally in affected stores, there is no need for this to be mentioned on its website privacy notice.  But is this a deliberate privacy notice layering strategy or an oversight?  The privacy notice does not mention whether the Co-Op has appointed a Data Protection Officer (DPO).   One would have thought that the kind of monitoring and analytics that happen in relation to a loyalty card scheme would be a core activity of the Co-Op affecting tens of thousands of people.  So by the logical process, the Co-Op should have appointed a DPO.  It’s hard to determine if that’s the case as this is not recorded on the ICO’s register of fee payers.  As the register records the details of DPOs in NHS trusts, one assumes that the Co-Op has not appointed one.  It would be interesting to see their rationale for this.

When you stop and think about how this FR system works, you start to ask even more basic questions.  Imagine you walk into a Co-Op store where this technology has been deployed.  As you stop to read the comprehensive and highly visible privacy information your face is scanned.  The image is analysed and compared to a database of known offenders.  Where does that database come from?  Who maintains it?  How is it compiled and checked for accuracy?  Do you remember the Friends and Band of Brothers star David Schwimmer doppelganger stealing beer in 2018?  It’s inevitable that this rogues gallery database contains false positives.  Is this a database of convicted offenders or suspects?  If the former then it must comply with Article 10 of the GDPR.  Perhaps the Co-Op’s database provider is relying on a DPA18 Schedule 1 condition – section 10 of Schedule 1 for instance, although it is debatable whether this would be applicable.

How far back does this database go and where does the image of the offender or suspect come from in the first place?  There are so many questions about this on so many levels and it’s something that the ICO is on to and due to report on early next year.

The only store in the Outsourced DPO’s village is a Co-Op.  And the only two stores in the next village along are both Co-Ops!  Maybe it’s time to break out the Billy Murphy mask again?

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021