As the committee is aware, the Information Commissioner’s Office has issued the commissioner’s opinion on use of live facial recognition technology, subsequent to the case of R (on the application of Bridges) v Chief Constable of South Wales Police. In that case, the court found that use of the technology had been lawful, bearing in mind all the other restrictions that are in place, including data protection legislation. Our view is that that judgment was on a specific case and cannot be applied as a general framework. The fact that that opinion on it is the first one that the commissioner has written emphasises the importance that she gives to the issue. Under the GDPR, she has a new power to produce opinions, which came into effect last year: that is the first one, so you can see that the issue is a high priority for her.
The commissioner's view is that we should look at each use of the technology individually, that a clear case has to be made for its use, and that that has to be recorded, as is required by the appropriate use policy under the Data Protection Act 2018. Every case should be looked at separately and a DPIA—data protection impact assessment—should be carried out. Use should be focused and narrowed down; the arguments for each use of the technology must be clear and understandable and made clear to the public, as use continues.
The judgment exists and we have to build on it. As is implied in the Information Commissioner’s opinion and her references to the Surveillance Camera Commissioner, who obviously does not have jurisdiction in Scotland, anything that can clarify how we in Scotland would like the technology to be deployed would be helpful.
13:15