Privacy & Information Security Law Blog

On August 13, 2025, the UK Information Commissioner’s Office (ICO) published guidance detailing key data protection themes that law enforcement must consider when deploying live facial recognition technology.  The key themes include:

1. Strictly necessary: Law enforcement must ensure that the use of live facial recognition technology is strictly necessary for the stated purpose. Law enforcement must: (1) ensure the processing of sensitive information is specific in nature and dependent on the specified law enforcement purpose; (2) unequivocally demonstrate that no less privacy-intrusive means could achieve the same purpose; and (3) demonstrate how the processing will be effective in meeting the specified law enforcement purpose.
2. Clear purpose: The justification and purpose for using live facial recognition must be clear and limited.
3. Key data protection documentation: Law enforcement must prepare and maintain necessary documentation with respect to its use of live facial recognition technology, such as a data protection impact assessment (DPIA), and an appropriate policy document (APD).
4. Effectiveness: Law enforcement must be able to explain how the live facial recognition technology will successfully fulfill law enforcement purposes.
5. Watchlists: The inclusion of images on watchlists should involve the same enhanced considerations when processing (e.g., strictly necessary), as detailed above. Watchlists also must adhere to data protection principles.
6. Informing the public: Law enforcement should provide the public with contact details of the data controller and how they can exercise their rights.
7. Managing bias: Periodic testing and reviews should be conducted to ensure the accuracy and effectiveness of live facial recognition technologies, helping to understand and mitigate any biases.