In an investigation report released yesterday, Commissioner Elizabeth Denham shot down the use of facial recognition technology by ICBC for identifying Stanley Cup rioters unless they are responding to a court order.
“Facial recognition has the potential to become a technology of surveillance, and we must ensure that public bodies and private organizations using it or contemplating using it have the legal authority to do so along with strong safeguards to protect personal information,” said Denham.
In addition to making ICBC improve its notice to its customers about what it does with their personal information, Denham also stated that they must have a court order, warrant or subpoena to be able to legally use the facial recognition software to identify the rioters.
She also appears to have set out some markers for other public bodies who collect information for one purpose but later use it for something else.
In the order, she states,”The essential use rule in FIPPA is that personal information can only be used for the original purpose it was obtained. Any change in use is an exception to this basic rule and must be authorized in FIPPA. With the proliferation of new technologies, personal information collected for one purpose may be used to meet new and possibly unanticipated purposes with breathtaking speed and ease. If we are to maintain robust privacy rights great care must be taken in evaluating proposed changes in use. The language in FIPPA makes it clear that such changes in use are authorized in very specific and limited circumstances.”
This raises questions about other technologies which may use information gathered for one purpose for another purpose. Two examples that come to mind are the BC Hydro smart meters program and the government’s own Integrated Case Management system, which is designed specifically to link data and share it among different departments in and outside of government for a variety of different purposes.
Denham also had some less than kind words about ICBC’s one to two page Privacy Impact Assessments, the documents that are supposed to outline the privacy implications or new or updated programs or projects.
“ICBC’s documents briefly list basic privacy rules in FIPPA and state
conclusions without any detailed analysis of how the conclusions were reached. The documents provide no description of the proposed technology or of the data elements collected, used or disclosed, no information flow analysis, there is no discussion of the proposed security and no risk assessment or mitigation plans discussed. Without detailed description of the proposed technology and the proposed implementation processes, it is impossible to evaluate the conclusions stated in these documents.”