UK commissioner has advice on proposed biometrics code of practice for privacy regulator
Outgoing UK Biometrics and Surveillance Camera Commissioner Fraser Sampson says in a response to the consultation on biometric information by the Office of the Privacy Commissioner that the idea of establishing a biometrics code of practice is a good one. The details of the new regulatory framework will be important, however, and ensure biometrics use is permissible and publicly acceptable.
The policy paper from Sampson notes that the capabilities of biometric surveillance systems are growing at an accelerating pace, and accordingly so is their effectiveness. People must have confidant in the systems as a whole, he writes, and the parameters for their use must be publicly accessible and understandable.
The need for regulation and oversight of biometrics goes beyond data rights, he says, noting; “some of the key issues that have raised significant questions of public trust and confidence are no more ‘just’ data protection than facial recognition is ‘just’ photography or DNA profiling ‘just’ chemistry.”
Society is becoming “inured to biometric surveillance,” Sampson warns, and as the practice enters areas like schools, the risks of “omniveillence are amplified.” Law enforcement has clear incentive to seek as many resources for identifying suspects as it can, but increasing capabilities for biometrics collection and analysis increase the need for “democratically accountable governance.”
Biometrics capabilities are largely privately-owned, however, making it appropriate to compose the proposed code of practice as broad as possible. Sampson approves of the suggestion to include new biometric modalities, but is puzzled at the exclusion of DNA, which is widely used. Further, as modalities are added, searches of aggregated datasets takes on new risks, as well as benefits.
The OPC’s intention to make the code “tech-neutral” is understandable, Sampson writes, sufficient clarity is needed, and the balance between those two motivations is delicate.
Sampson also raises the controversy around the storage of biometric data in the cloud, as has been addressed by Scotland’s Biometrics Commissioner, as well as recent data breaches.
“If we are to get the most from biometric surveillance technology, a systemic approach to regulation is needed, focusing on integrity – of both technology and practice – along with clear standards for everything and everyone involved because, in a systemic setting, compromising part means compromising the whole,” Sampson argues.
That approach must involve principles which are clear, transparent and auditable.