![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
The use of facial recognition technology is becoming more and more prevalent in modern society, note such examples as Facebook’s introduction of such technology in 2011; Google’s attempt to introduce a facial search engine, and even an online dating site that was launched on the premise of matching people based on “facial compatibility.”
It is not surprising, therefore, that privacy advocates and privacy enforcement authorities are becoming increasingly interested in these developments. Recently, the Office of the BC Information and Privacy Commissioner (OIPC) released an
into the use of facial recognition technology by the Insurance Corporation of British Columbia (ICBC). The investigation was triggered by ICBC’s offer to the police of the use of its facial recognition software in the identification of individuals involved in riots in Vancouver in the spring of 2011.
The OIPC took the opportunity to examine not only the proposed assistance to the police but also issues relating to the original purposes for the facial recognition program.
ICBC’s facial recognition program
The OIPC noted that the facial recognition technology was introduced as a means to address fraudulent acquisition and use of driver’s licences and British Columbia ID cards. A number of inadequacies were identified by the OIPC relating to the manner in which the ICBC’s privacy impact assessments (PIAs) were completed. While a PIA on the privacy issues related to use of biometrics was conducted by external legal counsel and internal staff very early on in the process, years later—when implementing the facial recognition technology—no comprehensive PIA was completed on the solution purchased. The organization’s documentation listed some basic privacy rules in the Personal Information Protection Act (PIPA) and conclusions reached but did not provide detailed analysis as to
how
the conclusions were reached. The OIPC also determined that the role of the ICBC’s privacy lead had not been adequately communicated throughout the organization. In examining the ICBC security arrangements for the facial recognition system, the OIPC determined that these arrangements met the standard of reasonableness; for example, all information transmitted and stored in the database were encrypted—using 128-bit and 256-bit encryption, respectively; access was limited to specific workstations and users, by their specific role(s), and audit logging was in place for all workstations and servers that were part of the facial recognition system.
Sharing of information with law enforcement authorities
As noted above, in the aftermath of riots following the Vancouver Canucks' Stanley Cup loss, the police collected thousands of images of rioters that had been posted on various websites and Facebook pages. The ICBC offered the use of its facial recognition software to assist police in identifying the alleged vandals and rioters. The OIPC noted that the ICBC is authorized to disclose personal information in response to an order that satisfies the requirements of section 33.1(1)(t) of PIPA, which provides that disclosure is authorized in order to comply with a subpoena, warrant or order issued or made by a court, person or body in Canada with jurisdiction to compel the production of information. While ICBC cited section 32(c) of PIPA, which provides that a public body may use personal information in its custody or under its control only for a purpose for which that information may be disclosed to that public body under sections 33 to 36, as its authority to disclose information to the police, the OIPC determined that this section does not permit the use of every record in the ICBC’s entire database for the purposes of responding to a disclosure request about a single individual. The OIPC found that, in this case, in the absence of a subpoena, warrant or order from a court, the use of ICBC’s facial recognition software and database for the purposes of responding to disclosure requests from police is not authorized under PIPA. The OIPC recommended that where a police force intends to ask for a subpoena, warrant or order, the ICBC should provide the court with a detailed description of the process that it must undertake when attempting to identify individuals using its facial recognition database; this will assist the court in understanding the nature and extent of the change in use that is being requested.
