New biometrics laws urgently needed, review finds

By Chris Vallance
Technology reporter

  • Published
A stock illustration of facial recognitionImage source, Getty Images

New laws governing biometric technologies are urgently needed, an independent legal review led by Matthew Ryder QC has found.

Biometric data includes faces, fingerprints, voices, DNA profiles, and other measurements related to the body.

Technologies using this data, such as live facial recognition, are increasingly common.

But the review found rules in England and Wales were fragmented, unclear and had not kept up with technology.

Biometric technologies, it noted, previously used almost exclusively in policing, are now used by a growing number of private and public organisations, including employers, schools and shops.

More novel tools such as gait analysis, which looks at distinctive features of how people walk, or key-stroke analysis, based on how people type, are also being deployed.

In a separate paper the Ada Lovelace Institute, which commissioned the review, cited a number of examples of how biometric technologies were being used:

  • Schools using facial-recognition technology to verify students' identities in order for them to pay for their lunch
  • A supermarket chain using facial recognition to alert staff to individuals with a history of theft or anti-social behaviour.
  • Companies using an artificial-intelligence system to score video interviews with job candidates for characteristics such as "enthusiasm", "willingness to learn", "conscientiousness and responsibility" and "personal stability".

Better laws and regulation would subject such uses to much greater scrutiny before deployment, it says.

Currently, an Institute spokesperson told the BBC, regulators were only taking action after the fact. "We can think of this a regulatory 'whack-a-mole', which we are arguing is inadequate", the spokesperson said.

And none of those giving evidence to the review thought the current legal framework fit for purpose.

A range of laws influence how biometric data can be collected and used, including the:

  • Human Rights Act 1998
  • UK General Data Protection Regulation
  • Data Protection Act 2018
  • Police and Criminal Evidence Act 1984
  • Protection of Freedoms Act 2012
  • Terrorism Act 2000
  • Investigatory Powers Act 2016
  • Equality Act 2010

Matthew Ryder QC, who wrote the review said: "The current legal regime is fragmented, confused and failing to keep pace with technological advances.

'We urgently need an ambitious new legislative framework specific to biometrics.

"We must not allow the use of biometric data to proliferate under inadequate laws and insufficient regulation."

The institute is now calling for changes including:

  • comprehensive legislation governing the use of biometric technologies.
  • oversight by a national, independent and properly resourced regulatory body.
  • a requirement for technology to meet standards of accuracy, reliability and validity and proportionality
  • a moratorium on systems capable of mass identification or classification in the public sector until legislation is passed

The review also made several recommendations concerning live facial recognition (LFR) - where a camera system matches faces to a watch-list.

A number of police forces have deployed LFR including the Metropolitan police, and South Wales police - the latter successfully challenged in court.

The review said a legally binding police code of practice governing LFR use was needed.

And all other use in public should be suspended until there was one covering the private sector.

'Sound regulation'

Biometrics and Surveillance Camera Commissioner Prof Fraser Sampson echoed the report's call for improvement, saying it needed to be comprehensive, consistent and coherent.

Lady Hamwee, who chairs the Lords Justice and Home Affairs Committee, said: "The current uncoordinated and confusing arrangements are inadequate.

"Biometric technologies have huge potential.

"They need an essential component - public trust and confidence, which in turn needs sound regulation."

In response to the Ryder Review a Department for Digital, Culture, Media and Sport spokesperson told the BBC the government was "committed to maintaining a high standard for data protection and our laws already have very strict requirements on the use and retention of biometric data.

"We welcome the work of Ada Lovelace Institute and Matthew Ryder QC and we'll consider the recommendations carefully in due course."