Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what privacy protections are in place around the use of facial recognition software by private companies.

The use of facial recognition technologies is already governed by existing legal frameworks including equalities and data protection laws, which provide significant and proportionate protections. Under UK GDPR, there is a high bar for using such technology, as the processing of biometric data for identification purposes falls into the existing definition of special category data processing.

Under the UK’s data protection framework, organisations must process personal data fairly, lawfully, and transparently, which means being clear with people about how and why their personal data is being processed. Any personal data should also be kept secure and not processed for longer than is necessary. Organisations must also carry out an impact assessment when processing activities involving new technologies are likely to result in a high risk to individuals’ rights and freedoms.

The Information Commissioner’s Office (ICO), the independent data protection regulator, has issued guidance on the use of facial recognition systems and continues to monitor developments in this area.