Commissioner stressed key elements of new guidelines in her speech before federal committee
The Information and Privacy Commissioner of Ontario has joined federal, provincial, and territorial privacy commissioners’ mounting call to impose legal limitations on facial recognition technology used by law enforcement.
Commissioner Patricia Kosseim said in her speech before the Standing Committee on Access to Information, Privacy, and Ethics that while she and other privacy commissioners across Canada recommended the adoption of a comprehensive statutory framework to address the use of facial recognition technology in the law enforcement context, they are aware that some police agencies are already using or considering using facial recognition technologies, for instance, to support the investigation of serious crimes or help trace missing persons.
Kosseim informed the committee that they had issued new privacy guidelines to guide law enforcement agencies in the interim and help mitigate against potential harms until a new statutory framework is put in place. She then went on to emphasize the key elements of the new guidelines.
According to Kosseim, the new guidelines provide that police agencies must first determine if they are legally authorized before using facial recognition for any purpose.
“Police should seek legal advice to confirm they have lawful authority either at common law or under statute specific to their jurisdiction,” Kosseim said. “They must also ensure they are Charter-compliant, and their purported use is necessary and proportionate in the circumstances of a given case.”
Kosseim noted the new guidelines urge police agencies to establish strong accountability measures, including designing for privacy at every stage of a facial recognition initiative and conducting a privacy impact assessment (PIA) to assess and mitigate risks in advance of implementation.
In addition, Kosseim said that the new guidelines require police agencies to ensure the quality and accuracy of personal information used as part of the facial recognition system to prevent false positives, reduce potential bias, and avoid harm to individuals, groups, and communities.
“Ensuring accuracy involves conducting internal and external testing of the facial recognition system for any potentially discriminatory impacts, as well as building in human review to mitigate risks associated with automated decisions that may have significant impact on individual rights,” Kosseim said.
Kosseim stated that the new guidelines state that police agencies should not keep personal information longer than necessary. Therefore, they should destroy probe images that do not register a match and remove face prints from the face database if they no longer meet the proper criteria for continued inclusion.
Kosseim also mentioned that the new guidelines direct police agencies to address transparency and public engagement.
“Direct notice about the use of facial recognition may not always be possible in the context of specific police investigations,” Kosseim said. “However, program-level transparency is possible – such as publishing the agency’s formal policies on the use of facial recognition, a plain-language explanation of their facial recognition program, and a summary of their PIA.”
Kosseim added that key stakeholders, particularly representatives of over-policed groups, should be consulted “in the very design” of the facial recognition program.
“To re-iterate, although we believe these guidelines represent important risk mitigation measures, ultimately we recommend the establishment of a comprehensive statutory regime governing the use of facial recognition by police in Canada,” Kosseim said.