After further research, the Outsourced DPO came across an article posted on wired.co.uk https://www.wired.co.uk/article/coop-facial-recognition. The source of the story is an article written by Graham Lewis, the Co-Op’s Loss Prevention Officer at the Southern Co-Op that is posted on the Facewatch website https://www.facewatch.co.uk/2020/10/05/facewatch-at-the-southern-co-op/.
In this article Mr Lewis states that all of the Co-Ops customers have been made aware of the use of FR through distinctive signage and the Co-Op has ensured that the system is configured to, “not store images of customers unless they have been identified in relation to a crime.” He says that this ensures their processing is GDPR compliant! Oh great… that must be ok then! Apparently, the system alerts store teams immediately when someone enters their store who has a past record of theft or anti-social behaviour giving Co-Op’s teams time to decide on the best course of action which is, according to Mr Lewis, “incredibly important”. More important it would seem than the rights of everyone else using the Co-Op.
Earlier this year the Court of Appeal ruled that the use of automatic facial recognition (AFR) by South Wales Police was unlawful. Whilst the Court found that the use of AFR was a proportionate interference with human rights and that the benefits outweighed the impact on individuals, the judgement was in respect of the use of AFR by a law enforcement agency. How widespread the use of FR is in private companies is not known – but it’s worrying that the Co-Op has been using this system for 18 months.
From a GDPR perspective, providing the distinctive signage Mr Lewis reference is only the tip of the iceberg. Let’s assume that this distinctive signage contains all of the information required of privacy information, it makes one wonder what the lawful basis for processing is. It can only be legitimate interests. None of the other options available in Article 6 could possibly apply as the processing in question is being carried out for the private interests of the Co-Op. If the Co-Op believes that it is carrying out a task in the public interest and that the use of AFR is necessary for them to undertake this task – the Outsourced DPO would like to see the data protection impact assessment where the lawful grounds were considered. So if it’s processing based on legitimate interest – presumably there is also a legitimate interest assessment as well as a data protection impact assessment?
The privacy notice on the Co-Op’s website makes no mention of automated processing or AFR https://www.coop.co.uk/terms/privacy-notice. If appropriate privacy information is provided locally in affected stores, there is no need for this to be mentioned on its website privacy notice. But is this a deliberate privacy notice layering strategy or an oversight? The privacy notice does not mention whether the Co-Op has appointed a Data Protection Officer (DPO). One would have thought that the kind of monitoring and analytics that happen in relation to a loyalty card scheme would be a core activity of the Co-Op affecting tens of thousands of people. So by the logical process, the Co-Op should have appointed a DPO. It’s hard to determine if that’s the case as this is not recorded on the ICO’s register of fee payers. As the register records the details of DPOs in NHS trusts, one assumes that the Co-Op has not appointed one. It would be interesting to see their rationale for this.
When you stop and think about how this FR system works, you start to ask even more basic questions. Imagine you walk into a Co-Op store where this technology has been deployed. As you stop to read the comprehensive and highly visible privacy information your face is scanned. The image is analysed and compared to a database of known offenders. Where does that database come from? Who maintains it? How is it compiled and checked for accuracy? Do you remember the Friends and Band of Brothers star David Schwimmer doppelganger stealing beer in 2018? It’s inevitable that this rogues gallery database contains false positives. Is this a database of convicted offenders or suspects? If the former then it must comply with Article 10 of the GDPR. Perhaps the Co-Op’s database provider is relying on a DPA18 Schedule 1 condition – section 10 of Schedule 1 for instance, although it is debatable whether this would be applicable.
How far back does this database go and where does the image of the offender or suspect come from in the first place? There are so many questions about this on so many levels and it’s something that the ICO is on to and due to report on early next year.
The only store in the Outsourced DPO’s village is a Co-Op. And the only two stores in the next village along are both Co-Ops! Maybe it’s time to break out the Billy Murphy mask again?