Earlier this week, the Information Commissioner’s Office (ICO) fined facial recognition technology company Clearview AI Inc. (Clearview) over £7.5 million for breaches of UK data protection law. The ICO also ordered the US company to stop obtaining and using UK residents’ personal data from the internet, and to delete UK residents’ data from its systems. This enforcement action shows the global reach of the ICO and the importance of ensuring that your business complies with the UK GDPR when dealing with UK residents’ data, to avoid penalties, adverse publicity, and disruption to your business.
Data protection breaches by Clearview
Clearview provides a service that allows customers (including the police) to upload an image of a person and check it for a match against all images in Clearview’s database. Clearview has collected billions of images worldwide to create this database, and the ICO has stated that people were not informed about their images being used in this way.
The ICO found that Clearview had failed to meet UK data protection standards, including by:
- failing to be fair and transparent about the use of UK residents’ data;
- not having a lawful reason for collection of the data or a process for ensuring it is not retained indefinitely;
- failing to meet the higher standards of protection required for using biometric data (called special category data or sensitive personal data); and
- potentially disincentivising users from objecting to the use of their personal data, by refusing to tell members of the public if they were on the database unless they provided additional personal information.
The ICO has previously indicated that it is deeply concerned about the use of facial recognition technology in public places because it risks significantly eroding people’s privacy. Given the ICO’s concerns about this technology, it may be prudent for your business to avoid using it until further guidelines have been provided, or to contact the ICO for confirmation of whether your particular use is permitted.
In case you’re using other types of biometric or sensitive personal data in your business, we’ve provided a refresher below on your data protection obligations.
General data protection obligations
If, as is usually the case, your business is a data controller (ie you use personal data for the purposes of your own business), you must always comply with general data protection obligations. These include:
- being clear about why you are collecting personal data and what you will do with it, and providing this information to individuals. This can usually be done in your privacy policy;
- only collecting and using personal data which is relevant and necessary for your purposes;
- storing any personal data securely and not keeping it for longer than necessary;
- doing what you can to make sure that personal data you hold is accurate and kept up to date;
- ensuring that you have a lawful reason for processing personal data;
- if you use cookies on your website, ensuring you obtain the relevant consents (see Cookie policy for a template cookie policy);
- having comprehensive data protection policies and procedures in place, including for dealing with data breaches and data subject requests, training your staff on data protection matters and keeping appropriate records;
- being aware of when to use a data protection impact assessment (DPIA) procedure;
- considering whether you need to appoint a data protection officer (DPO) or alternatively a member of staff who takes responsibility for data protection matters within your business;
- if you wish to share personal data with another person or business, reviewing your data sharing agreement to ensure it complies with your obligations under the GDPR; and
- ensuring that you comply with the ICO’s Age Appropriate Design Code if your service is likely to be accessed by children.
You may also need to pay a modest annual fee to the ICO.
Data protection obligations for dealing with sensitive personal data
What is sensitive personal data?
Sensitive personal data (also known as ‘special category data’) is:
- data which reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
- genetic or biometric data identifying a person, including voice authentication and facial recognition technology; and/or
- data concerning a person’s health, sex life or sexual orientation.
When can my business use sensitive personal data?
There are strict rules about using sensitive personal data. You’ll need to identify a specific reason (or lawful basis) for doing so, as well as ensure that one of the following circumstances applies:
- you have explicit consent from the person concerned;
- it is necessary and proportionate for you to use the data to comply with your legal obligations as an employer or to exercise your rights as an employer. For example, if one of your employees has a physical disability, you have a legal obligation to make reasonable adjustments so you will need to collect sensitive personal data regarding that employee’s health;
- it is necessary and proportionate to use the data to assess the working capacity of your staff;
- the data has deliberately been made public by the person concerned; or
- it is necessary to use the data for legal proceedings that are taking place.
But don’t forget, even if one of these exceptions applies, you must also follow the rules below for handling sensitive personal data.
What are my business’s data protection obligations for handling sensitive personal data?
In addition to your general data protection obligations, when handling sensitive data you must:
- keep written records about your use and storage of any sensitive personal data, including:
- the name and contact details of your business;
- what the sensitive personal data consists of, who it is about and why you need it;
- how long you will keep the data;
- a brief description of the measures you take to ensure data security; and
- whether you will share the data with anyone, where they are based if they are outside the UK, and how you will work with them to keep the data safe;
- provide a copy of these records to the ICO on request;
- consider carrying out a data protection impact assessment (DPIA). This is likely to be needed for processing sensitive personal data. If you are unsure, the ICO recommends that you carry one out; and
- consider whether you may need a specific policy in place for dealing with sensitive personal data.
You can find further guidance on dealing with sensitive personal data in our Q&A. If you aren’t sure whether your business is allowed to use sensitive personal data, you should seek legal advice. You can access a specialist lawyer in a few simple steps using our Ask a Lawyer service.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.