Privacy Impact Assessment

Neoface Technology Facial Recognition

2014

PIA 29 10 2014

CONTENTS

Why Carry Out a Privacy Impact Assessment

Regulatory Considerations

The Need for Facial Recognition

Custody Images

NeoFace Facial Recognition Technology and the Impact on Privacy

Information Flow

Consultation

Privacy and Related Risks

Privacy Solutions

Security of the NeoFace System

Location

Management
Operators
Use of Neoface

10

Risk

11

Evaluation

12

Sign off

12

Integration of the PIA Outcomes Back into the Project Plan

12

Action to be Taken

12

Date for Completion of Actions

12

Appendix 1

PIA 29 10 2014

Privacy Impact Assessment for Facial Recognition

Why Carry Out a Privacy Impact Assessment

1.1

All processing of personal information must be undertaken within a clear legal

framework, resulting in the minimum intrusion of an individual's privacy.

1.2

The Police Service has a statutory duty under the Police Act 1996 and a duty at
Common Law to prevent, investigate and detect crime as well as safeguarding the
public. Clearly that duty requires the Force to introduce new methods and
technology to meet public expectations, but at the same time, ensuring such
methods and technology are in compliance with relevant legislation.

1.3

This Privacy Impact Assessment is an assessment of the privacy risks to individuals

resulting from the introduction of facial recognition technology to identify individuals
from images presented to it.

Regulatory Considerations

2.1

When processing personal information, the Data Protection Act 1998 (DPA) and the
Human Rights Act 1998 (HRA) must be adhered to. The DPA provides the
Conditions under which the processing of personal information can occur. The HRA
provides information around the privacy considerations which must be taken into
account when using personal information, including decisions around proportionality
and public interest.

2.2

Reference should also be made to the :

Police and Criminal Evidence Act 1984

Common Law Duty of Confidentiality

Police Act 1997

Statutory Code of Practice for the Management of Police information 2006

and associated Guidance

The Regulation of Investigatory Powers Act 2000

Common Law Duty of a Constable.

Rehabilitation of Offenders Act 1974

PIA 29 10 2014

Policies, procedures and protocols Force and National

CCTV Code of Practice

Surveillance Camera Code of Practice

The Need for Facial Recognition

3.1

The facial recognition system is focused on the implementation of new technology to

enable the Force to identify individuals whose images have been obtained during the
perpetration of offences to enable the arrest of the individual.

3.2

A successful investigation leading to the identification and arrest of an individual

suspected of committing an offence or offences is an obligation and duty placed on
every Police Constable.

3.3

The policing purpose prescribed under Common Law includes the prevention and
detection of crime, the apprehension and prosecution of offenders and the
maintenance of law and order. Identifying and dealing with individuals who
perpetrate offences fulfils the first two objectives of Our Duty; a commitment by the
Office of the Police and Crime Commissioner and the Chief Constable to the people
of Leicestershire to deal with those who cause most harm and to protect vulnerable
people from future offences.

3.4

The ability to identify a suspect as soon as possible and make an early arrest is
extremely important for several reasons:

to secure evidence

to ensure the victim is not subject of further offences

to ensure no crimes are committed against other victims

to remove any threat of crime, further crime or violence to the public at

large

3.5

to ensure public confidence in the police is maintained.

The software technology identified to assist the Force in their policing purpose is
NEC NeoFace, which fulfils a further two of the Our Duty principles namely
effectively deploying our people and ensuring effective and efficient use of
technology. With the budgetary constraints placed upon the Force, both principles

PIA 29 10 2014

are becoming ever more important if the Force is to meet its policing obligations and
the expectations of the public it protects.

3.6

Importantly, such software technology provides the opportunity to meet the

requirements at para.2.4

Custody Images

4.1

Custody images are those images obtained when an individual is detained by the
police.

4.2

The police derive their powers to obtain an individuals image from Section 64A of
the Police and Criminal Evidence Act 1984 (PACE)1. PACE and the PACE Codes of
Practice provide the core framework of police powers and safeguards around stop
and search, arrest, detention, investigation, identification and interviewing detainees.
The legislation looks to address the balance between the powers of the police and
the rights and freedoms of the public. Maintaining that balance is a key element of
PACE.

4.3

PACE states that where a person is detained at a police station they may be
photographed with the appropriate consent or if the appropriate consent is withheld,
or where it is not practicable to obtain it, without consent.

4.4

Additionally a person may be photographed at a place other than a police station by

a constable, as a result of a relevant event
(a) with the appropriate consent; or
(b) if the appropriate consent is withheld or it is not practicable to obtain it, without it.

4.5

PACE permits the police to photograph an individual where the individual has been:
(a) arrested by a constable for an offence;
(b) taken into custody by a constable after being arrested for an offence by a person
other than a constable;

PACE has received a number of amendments including those under the Anti-terrorism, Crime and Security Act 2001, the Serious
Organised Crime Act 2005, the Police reform Act 2002 etc.

PIA 29 10 2014

(c) made subject to a requirement to wait with a community support officer;

(ca) given a direction by a constable under section 27 of the Violent Crime
Reduction Act 2006
(d) given a penalty notice by a constable in uniform
(e) given a notice in relation to a relevant fixed penalty offence by a community
support officer by virtue of a designation applying that paragraph to him ;
(f) given a notice in relation to a relevant fixed penalty offence by an accredited
person by virtue of accreditation specifying that that paragraph applies to him ;
(g) given a notice in relation to a relevant fixed penalty offence by an accredited
inspector by virtue of accreditation specifying that paragraph 1 of Schedule 5A to the
Police Reform Act 2002 Act applies to him.

4.6

The custody photograph is then stored within the police data base known as
Custody Image Management (CIM) which holds over 104,000 such photographs.

NeoFace Facial Recognition Technology and the Impact on Privacy

5.1

The NeoFace technology is software that is able to compare images presented to it,
which have been captured on media such as CCTV and body cams (one data set)
against photographs of individuals detained under the Police and Criminal Evidence
Act 1984 (second data set).

5.2

NeoFace technology compares the two data sets and identifies matches from facial
characteristics.

5.3

NeoFace does not base its selection on gender, age or race and so will return
images of all ages, genders and race. (Leicestershire Police has chosen not to
incorporate metadata at this time).

5.4

For each comparison search, NeoFace will select the most likely matches, up to a
total of two hundred. Using new technology to identify potential suspects from an
existing database by automated means, clearly results in a vast amount of personal
data being processed, during each search.

PIA 29 10 2014

5.5

The use of this technology is not only new to Leicestershire, but to the police service
in general and given the extent of processing by automatic means, a full Privacy
Impact Assessment was undertaken. This decision was also based on the interest
the technology may attract to ensure that during implementation privacy issues had
been identified, recorded and ultimately addressed.

Information Flow

6.1

Requests for searches to enable images to be compared against custody

photographs may originate from a number of sources. It is therefore essential that
the provenance of each of the images presented is established to ensure there is a
legal basis before the matching process takes place.

6.2

The images of unknown individuals may originate from a number of sources,

including:
Close Circuit Television Cameras (CCTV) before, during or after the perpetration
of a crime or incident.
Body Cam images taken by an officer when dealing with an incident or crime ( The
Force has a Bodycam Use procedure in place)
Social Media before, during or after an incident has taken place.
E-Fit image taken from a witness or victim of crime
Surveillance image.

6.3

As previously stated, it is the 104 000 photographs held in CIM that Neoface
compares with the photographic images presented to it. A process for the use of
NeoFace has been identified and is illustrated in the flow chart below.

PIA 29 10 2014

Request received by ID unit for Facial Recognition Analysis in one of the

following methods:

Email sent to
IMU

Bodycam
Image

Social Media or
Photo from
mobile phone

Surveillance
Image

EFIT-V

Image quality assessed by ID Unit for suitability to be

used on NeoFace software

Unsuitable:
Inform the requesting
OIC.
Log on spreadsheet and
file image

Suitable:
ID officer will run the image through NeoFace and check the
top 200 returned faces for potential suspects.
Images compared against the lawfully held custody database

Potential suspect(s) identified

No Potential suspects found.
Inform requesting OIC.
Log on spreadsheet and file image

Complete return sheet for OIC with a copy of the image

tested and an image of each potential suspect.
OIC made aware this is purely an intelligence tool.
Log on spreadsheet and file image

6.4

Fig 1

The image of the suspect to be identified is input into NeoFace. The Technology
compares the image of the unknown suspect, to the database containing images of
known persons, detained by the Force. Those NeoFace identifies as matching the
image of the suspect are selected. A search can return up to a maximum of 200
images and will include images of both male and females.

6.5

The operator will view the matches identified by Neoface and manually remove
photographs of those whose images do not resemble the image of the suspect. This
is the point at which human intervention takes over from automated processing.

6.6

Some of the reasons the Operator may eliminate images include:

Wrong gender

Wrong ethnicity

Physical appearance differs

PIA 29 10 2014

Consultation

7.1

Consultation over the implementation of NeoFace has taken place with:

Home Office

Office of the Police Commissioner

Chief Constable

Human Rights Lawyer

During the pilot period and subsequently, the technology and the process has been
televised, using fictional images. It has also attracted visits from the legal profession,
other enforcement agencies and other police forces from around the world.

Privacy and Related Risks

8.1

The CIM system contains over 104,000 images, all of which were obtained under
PACE when the person was detained and therefore provides an audit trail showing
both the name provided by the individual at the time and their description also
recorded at the time, which is then held with their image.

8.2

An image and the personal data associated with it, is used before charge for the
following reasons:

To enable a person to be sought, should they fail to answer pre-charge police

bail;

in the event of an allegation that an individual has given a false name which
has resulted in an innocent party being summoned;

in the event of further police enquiries revealing a person detained has

provided false details;

8.3

An image and the personal data associated with it, is used after charge but before
conviction for the following reasons:

to identify an individual when a warrant has been issued by the Court and
police officers have a duty execute it as soon as possible 2.

To enable a person to be sought, should they have been bailed to appear

before a court and failed to do so.

If issued under s13 Magistrates Courts Act 1980, it will be valid indefinitely.

PIA 29 10 2014

Should they have been remanded in custody and after being taken before a
court, bailed to re-appear, but have failed to do so.

Where the court has issued a further bail notice (court bail) and the person
does not attend the hearing

To identify an individual subject of a European Arrest Warrant where it is

suspected that the person has fled the UK whilst on police or court bail.

8.4

Key privacy issues relate to the retention of images whereby the individual, although
arrested, did not appear before the court because:

8.5

CPS decide not to prosecute the case;

The case was discontinued;

The person was not charged due to lack of evidence.

Cases lying sine die.

Images of detained persons are held on CIM.

Therefore, images of those not

convicted will also be retained.

8.6

The Police and Criminal Evidence Act states that photographs taken under s64 may
be used by, or disclosed to, any person for any purpose, related to the prevention or
detection of crime, the investigation of an offence of the conduct of a prosecution or
to the enforcement of a sentence and may be retained provided they are used for
the same purpose for which they were initially obtained.

8.7

Retaining all images of individuals taken under PACE, whether later convicted or not
allows Neoface to search across the whole of the data base and may return images
found in both data sets.

Privacy Solutions

9.1

Action being taken to address issues and reduce the risk is already being
undertaken by the Identification Suite (See Data Protection Table).

9.2

Security of the NeoFace system.

8.2.1 Location

10

The NeoFace system has been installed in the Identification Suite (ID Suite).

PIA 29 10 2014

The Identification Suite is situated in a secure building which has limited

access

The Identification Suite is separated from the reminder of the building and is
secured.

The NeoFace is located on a stand-alone computer.

9.2.2 Management

Neoface is owned by the Delivering Justice Directorate. A Detective Chief

Superintendent is in overall charge.

The day to day management is undertaken by the ID Suite Manager.

9.2.3 Operators

The number of NeoFace operators is kept to a minimum.

Their training is undertaken in house under the supervision of the ID Suite

Manager.

10.3

Use of NeoFace

10.3.1 All requests for the use of NeoFace are submitted to the ID Suite and overseen by
the ID Suite Manager.

10.3.2 A Form has been created and must be submitted with each request, which details
the reason for the request and the provenance of the images being presented.

10.3.3 After accepting the image(s), the Operator will undertake the search.

10.3.4 Once the matches are returned by Neoface, the Operator will undertake a visual
assessment and remove any that clearly do not match the image of the individual
sought. E.g. different gender etc.

10.3.5 The Operator will provide the matches which NeoFace has identified and have
been verified, to the OIC as well as making it clear that the images are to be

11

PIA 29 10 2014

treated as information only and that further police enquiries are required to
establish whether the person could be considered as a suspect or not.
10.3.6 The OIC will be reminded that the information being provided is sensitive personal
information and therefore must be treated as Restricted and if the images
returned are to be sent to the OIC by e-mail, then the Operator will ensure the email is marked Restricted.

10.3.7 The Form which accompanies the returned images, reminds the OIC that the
matches are for intelligence purposes only and cannot be used as evidence. They
are not informed as to the status of the person in the custody image.

10.3.8 Guidance should be issued to ensure the decision making during the public interest
test is recorded.
11

Risk
See Appendix 1.

12

Evaluation

12.1

In addition to the assessment around the effectiveness of the Neoface Technology in

preventing and detecting crime, the evaluation will take into account the impact on
the privacy of individuals.

12.2

Solutions have already been implemented to address compliance issues identified

during the early project stages, which are proportionate to the aims of the project. (

13

Sign off and record the PIA outcomes

13.1

The Project and the privacy risk have been accepted by D/ Ch. Supt Prior.
The privacy risks involved in the project have been accepted by D/Ch. Supt Prior.
(Still awaiting the outcome of the two privacy court cases).

12

PIA 29 10 2014

14

Integration of the PIA Outcomes Back into the Project Plan

14.1

The ID Suite Manager will be responsible for integrating the PIA outcomes back into
the Project Plan and keeping the Head of the Delivering Justice Directorate
informed.

14.2

PIA outcomes will be addressed by the ID Suite Manager in consultation with the
Head of the Delivering Justice Directorate.

14.3

The ID Suite Manager will be responsible for implementing any solutions to issues
identified back in to the project.

14.4

The ID Suite Manager will confer with Information Management Section regarding
future privacy concerns which will then be raised with the SIRO.

15

Action to be Taken

15.1

As the Data Protection Act 1998 provides the legal framework around the
management and use of personal information, recording the implications the DPA
has on the use of existing custody photographs with the Neoface technology, will
sign post issues to be considered and addressed.

16

Date for Completion of Actions

16.1

As per the Project Documentation.

17

Data Protection Implications

17.1

See Appendix 1

13

Appendix 1

Neoface Privacy Impact Assessment implications for the compliance with the Data Protection Act commenced on the 29.10.2014
The following are the Principles of the Data Protection alongside the risk to the Act in relation to the use of Neoface. This is a living document and should be
updated and dated accordingly.
Principle 1
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
a) at least one of the conditions in Schedule 2 is met, and
b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Considerations
What is the purpose of this
technology?

Explanation

Additional Considerations/Risks

To introduce technology to assist in

the early identification of a suspect.

The use of facial technology to compare

existing lawfully held information against
new information, lawfully obtained and
processed;

Photographs of detained persons

are collected under PACE and are
known as Custody Photographs..

Reduces the chance of the wrong person

being arrested
The photograph is used as:
An audit trail
In the event of an individual
failing to report for bail or to
court or for the payment of
a fine issued by the court.
Having been convicted, the
photograph is then used:
As part of any prohibition
order

Eliminates the need to arrest large

numbers of suspects

Action/Mitigation/Justification
ID Suite Operator overseas the
management of PACE Photographs.
ID Suite Operator undertakes
Human intervention to ensure the
photographs identified by Neoface
are similar or the same as the image
being presented for comparison.
Any photographs returned by
Neoface which do not match are
rejected.
Only details of those whose image is
identified as being the same or
similar are provided to the officer in
the case, who will undertake a
second sift and again reject any they
feel do not match the person they
are seeking.

PIA 29 10 2014

Retained and used to

identify recidivists whether
by showing them to a victim
of a further crime in an
effort to identify the
perpetrator

Access to photographic images in an

effort to identify a person suspected
of being involved in an incident
leading to a crime, or a crime per
see is an integral part of any police
investigation.
Using conventional methods to
identify an individual who may be a
suspect is time consuming.

Due to financial constraints facing

the Force, employing police staff to
carry out research to identify
potential suspects from information
held is difficult to justify, when
technology is available.
Despite reduced funding, the Police
Service still has to meet legal
obligations under Common Law, the
Police Act 1996 and other legislation

15

Reduces the need for additional

witnesses.

Time lapse may result in the suspect

disappearing, continuing to commit
crime, threatening potential witnesses to
ensure they do not come forward.
There is a critical period - the Golden
Hour-during which a crime should be
detected. The greater the delay, the less
chance of arresting a person.

Reduces the workload of an Operator

Provides an audit trail

PIA 29 10 2014

contained in statute.
Pressures to find quicker and more
efficient ways of identifying suspects
and solving crime are at the
forefront of the Police Service.
The use of biometric technology to
identify potential suspects from
existing photographs held by the
police is clearly a more efficient,
effective and a less time consuming
process.
The efficiency of the system does
increase the privacy concerns
surrounding its use.

Ensures an individual can be identified

and sought quickly reducing the chance
of them:
A disappearing
B creating an alibi
C committing further offences
D Threatening Witnesses

To identify individuals subject of

covert operations, where the
photographs have been obtained
under RIPA

How will individuals be told

about the use of their personal
data in relation to existing
custody records?

16

Photographs of those arrested are

obtained under the Police and
Criminal Evidence Act (PACE).
Section 64A permits the police to
obtain photographs of those
arrested in circumstances where a
person detained at a police station
may be photographed with the
appropriate consent or if the
appropriate consent is withheld or

The use of CCTV images by the Force is

included in Policy and supported by
procedures drawn up, between the
Councils and the Force.

Following the CATT case, consider

reviewing your photograph
retention policy. (date)

CCTV systems owned by the Councils are

installed for the purposes of Crime
reduction.

Following the CATT case, the need

to set review dates of photos
obtained of individuals who have
not been charged. (date)

Consider including advice to detainee,

Following the CATT case, the

PIA 29 10 2014

How will individuals be told

about the use of their personal
data in relation to the images
being presented (other than
custody images)

where it is not practicable to obtain

it, without consent.

that their photograph will be retained

whether charged or not.

In terms of the images presented to

Neoface, these are obtained from a
number of sources including CCTV,
bodycam, other Forces Custody
images (See below).

At closure without charge, consider the

rational of retention to ensure it is
proportionate.

Photographs submitted for

comparison as a result of a covert
operation, will be unaware.

RIPA Authority

The individual will be unaware that

the police have their image, until
interview/ detention.

Websites already provides information re

the use of CCTV

The CCTV images obtained by the

police are mainly from three
sources.
1 Council owned
2 Privately owned
3 Commercially owned i.e. shop
owner.
The responsibility as to the lawful
signage relating to the use of the
CCTV falls to the CCTV owner.
Bodycam images from officers
wearing bodycam. The use of
bodycam is managed through the
procedural documents issued.

17

CCTV Cameras all have notices regarding

their use for prevention of crime.
Suggest a reminder of the existence of
CCTV Policy.
Suggest a review of the instructions
around the use of CCTV when drawing up
shop watch agreements.
Useful to remind officers of lawful use of
bodycams and to remind them of the
policy and procedure around such use.
Bodycams are used overtly.

rationale behind the retention and

importantly, the further use of
photographs where the individual
has not been charged or convicted
(date)
Consider a review of the
photographic policy in relation to:
Media release when
attempting to trace an
individual suspected of an
offence,
Day to day policing

Consider a review of the

photographic policy in relation to:
media release when
attempting to identify an
individual,
Day to day policing

PIA 29 10 2014

Bodycam may be used where the

situation requires them. They must
not be left on throughout tour of
duty. They will be worn overtly
Photographs obtained as a result of
a covert operation will not be aware

RIPA will apply

Can Neoface be used in real

time?

There is no direct connection

between CCTV/bodycam and
Neoface.

Who will have access to

Neoface?

Access to Neoface is restricted to

the ID Suite staff only under the
direction of the ID Suite Manager.
There is no intention to allow
unrestricted access to Neoface.

Ensure procedures are put in place and

also that there is an overarching Policy in
relation to the use/access of NeoFace.

Do you need to amend your

privacy notices?

The Privacy Notice provides

information on the processing of
information in connection with the
policing purpose.

Privacy Notice is being reviewed in line

with the use of Neoface

Policy and Procedure implemented.

CCTV cameras all have the legal

plates describing the reason for their
use and their ownership.
Schedule 2
Have you established which
(3) Compliance with legal
conditions for processing apply? obligations;
(5) For the administration of justice
(6) (1) The legitimate interests
pursued by the Data Controller

18

PIA 29 10 2014

Schedule 3
(6) Legal Proceedings
(7) Administration of Justice
SI 417 regarding the processing of
sensitive personal information.
If you are relying on consent to
process personal data, how will
this be collected and what will
you do if it is withheld or
withdrawn?

Photographs of those arrested are

obtained under the Police and
Criminal Evidence Act (PACE).
Section 64A permits the police to
obtain photographs of those
arrested in circumstances where a
person detained at a police station
may be photographed with the
appropriate consent or if the
appropriate consent is withheld or
where it is not practicable to obtain
it, without consent.
Images obtained are either covert
CCTV and Bodycam.
Obtained as part of the investigation
E-Fit.
Or by covert means authorised
under RIPA

Who will have access to the

matches produced from
Neoface?

19

The matches are provided to the

Officer in Case.

Ensure the data produced is marked as

Restricted.

It is made clear that the matches

are for information only and provide
a sign post for the officer to assist in
the investigation plan.

That GPMS is applied whenever it is

processed .
Ensure the OIC is aware of the handling

Ensure the policy procedure reflects

the need to ensure the data is kept
secure at all times and not
accessible to those not involved in
the enquiries.

PIA 29 10 2014

procedures to ensure the information is

processed fairly and lawfully and remains
so, until destruction.
Leaving the information visible/accessible
to other officers, could result in the
individual being detained if seen on the
assumption that they are being sought.

20

PIA 29 10 2014

Principle 2
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with
that purpose or those purposes.
Considerations
Explanation
Additional Considerations/Risks
Action/Mitigation/Justification
PACE permits the use and retention
of photographs obtained lawfully.
The further use of the photographs
already held is in connection with
the policing purpose.
Does your use of Facial
Recognition cover all of the
purposes for processing
personal data?

Yes at present.

Have potential new purposes

been identified as the scope of
the technology expands?

No. The use of technology over

existing procedures to identify
those committing offences is purely
to ensure more efficient and
effective use of the personal data.

21

Any additional use over and above that

outlined in this PIA, if the Project
becomes business as usual will need to
be risk assessed and a new PIA
completed.

There is a need to ensure that policies

and procedures develop, as the use
develops.
NB The presence of policies and
procedures do not legitimise use. They
merely clearly define their parameters.

PIA 29 10 2014

Principle 3
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Considerations
Additional Considerations/Risks
Action/Mitigation/Justification
The photographs obtained under
Is the information you are
PACE are of very good quality.
using of good enough quality
for the purposes it is used for? The images obtained for
comparison are assessed and if they
are of poor quality, are not
presented to Neoface.
Have you considered what
personal data should not be
used, without compromising
the needs of the project?

22

Following the case of The Queen on

the application of (1) RMC and (2) FJ
and the Commissioner of the
Metropolis and the Secretary of
State for the Home Office and (1)
Liberty and (2) Equality and Human
Rights Commission, the retention of
photographs held within the
existing database, where either the
person has not been convicted or
the case discontinued or the person
found not guilty. The legality of the
retention of such data is still being
reviewed by the ICOs Legal Team. It
was thought that the decision on
the retention of photographic
information would be included
within the Freedom Act, which
ultimately addressed and reinforces
the rules around the retention of
DNA and fingerprints. However,
both the Data Protection Act 1998

PIA 29 10 2014

and the Statutory Code of Practice

for the Management of Information
require the Force to manage such
information in such a way that it
does not breach legislation. It will
however, be more likely to capture
individuals who are in the group
described above, if they have
committed the offence, but less
likely to involve the arrest of an
innocent individual whose image is
held, where they have not been
previously prosecuted for an
offence.

23

PIA 29 10 2014

Principle 4
Personal data shall be accurate and, where necessary, kept up to date.
Considerations
Explanation
Additional Considerations/Risks
If you are procuring new
software does it allow you to
amend data when necessary?

How are you ensuring that

personal data obtained from
individuals or other
organisations is accurate?

Neoface is not a storage system

However, Neoface can be used as a search

engine in the event of searching for and
removing images from the custody system

Photographs taken of a person

under PACE will have the name of
the individual attached to them.
The fingerprints of the individual
are also taken under PACE and
are subject of checking against
the National Database. Any
discrepancies found are rectified
as soon as they are identified.
Any requests for NeoFace to be
used by Police Partners, will be
submitted on a request form.
The form will record the
requestors details, the reason for
the request and the
circumstances by which the
image was obtained.

How will you differentiate

information received from
other organisations?

Searches are managed

individually, so there can be no
cross contamination

How long will non custody

Images obtained for comparison

24

Procedural document in place.

Action/Mitigation/Justification

PIA 29 10 2014

images be retained?

against Neoface, will only be

retained for as long as is
necessary.
Where an individual is identified
by Neoface, then the original
photograph will be provided to
the officer, if required for
identification purposes and also if
the individual is charged, where it
will form part of the evidence.
The reference number of any
match will be kept for audit
purposes.

How long are Custody Images

retained, where a person is
either
1 Not charged
2 Charged, but the case is not
taken to court
3 Charged and taken to court
but discontinued
Charged taken to court and
found guilty
Charged and taken to court
and found guilty, but found
not guilty on appeal.
Case allowed to sit sine die

25

All photographs are originally

obtained under PACE.
PACE states that such
photographs can be retained,
provided they are only processed
for the same purpose.

Additional advice /guidance following

CATT decision.

PIA 29 10 2014

Principle 5
Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.
Considerations
What retention periods are
suitable for the personal data
you will be processing?

Are you procuring software

which will allow you to
delete information in line
with your retention periods?
How many duplicate images
are there?

26

Explanation
All custody photographs are
retained.

The use of biometric technology

will not change the existing ability
in terms of the NeoFace
technology

NeoFace technology has enabled

duplicate entries to be identified
and dealt with accordingly.

Additional Considerations/Risks

Action/Mitigation/Justification

Old images are not removed when new

ones are taken.

Historic cases are reported to the police.

Searches using Neoface are saved on

secure network and kept in accordance
with MOPI

PIA 29 10 2014

Principle 6
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Considerations

Explanation
No change

Additional Considerations/Risks

Action/Mitigation/Justification

Process does not involve

marketing.

Is the documented process for the

request for removal of photographs by an
individual, up to date?
If not, it should be updated.

Requests for removal come in via Data

Protection and there is a documented
process for dealing with requests for
removal.

Will the systems you are

putting in place allow you to
respond to subject access
requests more easily?

If the project involves

marketing, have you got a
procedure for individuals to
opt out of their information
being used for that purpose?

Can the system provide

information about the
searches that have been
presented to it, in the event
of such a question from a
data subject?

27

The system is fully auditable and

will keep a record of all searches
carried out.
Searches are retained in a
spreadsheet, along with the
details of the returns for
monitoring purposes.

PIA 29 10 2014

Principle 7
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss
or destruction of, or damage to, personal data.
Considerations
Explanation
Additional Considerations/Risks
Action/Mitigation/Justification
Do any new systems provide
protection against the
security risks you have
identified?

Access to enable use of the

biometric technology is restricted
to Identification Suite staff under
the supervision of the ID Suite
Manager
Access is by use of a user name
and password, to permit
individual access, which is then
auditable.

What training and

instructions are necessary to
ensure that staff will operate
a new system securely?

Access to biographical
technology is restricted to
Identification Unit Staff only.
Each Operator is individually
trained in the operation of the
system and the rules around its
use.
Each Operator is reminded of the
general requirements around
security:
Logging on and off
Password composition of
Prevent shoulder surfing

28

Ensure use and privacy requirements are

reiterated.
Ensure the policy and procedure reflects
the requirements of the Operator, to
ensure this is continued if and when new
staff are employed.
Ensure policy and procedure is in
existence for the day to day monitoring
around use.

Consider fitting a security screen.

PIA 29 10 2014

Positioning of the screen to

prevent it being viewed by others
Staff are reminded of the
legislation surrounding the use of
custody photographs.
Will your actions interfere
with the right to privacy
under Article 8?

Have you identified the social

need and aims of the project?

Under Article 8 there is the

exemption from interference
with private life, where the
interference is in relation to the
investigation in relation to the
commission of an offence.

The social pressing need to deal

with those who commit crimes
against victims and society.

You need to consider the justification for

the use of technology to identify
individuals involved in other
crimes/incidents.
The justification may include the fact that
individuals who start by committing low
level crime i.e. theft from washing lines,
can move on to commit further and more
serious crimes, if not identified and dealt
with.

Are your actions a

proportionate response to
the social need?

Our Duty has identified the

expectations of the public to
protect the vulnerable and to
deal with those who cause most
harm.
Failure to do this effectively,
may also attract disciplinary

29

Included in Policy

PIA 29 10 2014

action, if it can be shown that a

delay was caused by any neglect
to investigate a crime, where the
identity of the suspect could
have been established and as
such the officer may be
disciplined under the Police Act
1996. Dealing with staff who
have failed to carry out the
requirements of their roles, can
bring the Force into disrepute
and reduce public confidence.

30

PIA 29 10 2014

Principle 8 Not Transferred out of Europe

Considerations
Explanation
Is there an intention to
No
transfer any of the data out
of the European Union

31

Additional Considerations/Risks

Action/Mitigation/Justification