Facial recognition risk assessment
The client was a large global organisation, who have a public service mission who wanted to use 1:1 facial recognition for a social benefit purpose.
Facial recognition, like any biometrics, raises unique questions related to data protection and privacy which require appropriate risk assessment.
The client approached AWO to ensure its use of 1:1 facial recognition involved appropriate guardrails and compliance with the applicable data protection framework
Our approach
-
Data protection impact assessment
We undertook a large-scale Data Protection Impact Assessment on the proposed use case practical safeguards. This involved undertaking interviews with relevant stakeholders in the organisation including from the projects team and the IT team. We then benchmarked the risks against the applicable framework and identified the key risks to individuals. We then recommended mitigation measures to be implemented on a priority basis.
-
Privacy notices
We drafted privacy notices for the use of the facial recognition in the limited circumstances so that individuals were provided with appropriate transparency about the use case. This included key information such as how personal data would be stored, retention periods, security measures and purpose limitation.
-
Internal policy
We also drafted an internal Biometrics policy for this organisation specifying what acceptable use cases are for the use of this organisation. This policy was prepared to demonstrate accountability and transparency throughout the organisation.
The recommendations were incorporated into a trial of the technology with a limited scope to test the use case. Our team has gone on to support this organisation with a series of other comprehensive data protection impact assessments for a range of different tools and processes.