Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
On the contrary, images processed by a video surveillance
system solely for security reasons in a shopping area will not
generally be considered as processing of sensitive data.”
133.
Returning to the language of section 35 of the DPA 2018, we are satisfied that
the operation of AFR Locate involves the sensitive processing of the biometric
data of members of the public, i.e. who are not on the watchlist. As described
in SWP’s evidence, the AFR software takes a digital image and processes it
through a mathematical algorithm to produce a biometric template (i.e. of the
member of the public who is not on the watchlist) which is then compared to
other biometric templates (i.e. of those who are on the watchlist) in order to
provide information about whether one image is like the other. That process
of comparison could only take place if each template uniquely identifies the
individual to which it relates. Although SWP’s overall purpose is to identify
the persons on the watchlist, in order to achieve that overall purpose, the
biometric information of members of the public must also be processed so that
each is also uniquely identified, i.e. in order to achieve a comparison. This is
sufficient to bring processing of their biometric data within the scope of
section 35(8)(b) of the DPA 2018.
134.
Although the Claimant’s submissions did not focus on the requirements of
section 35(2) DPA 2018, the Information Commissioner made submissions as
to the requirement that processing of personal data must be “based on law”.
In substance, these submissions mirrored the matters raised by the Claimant in
his “in accordance with the law” submission on his Article 8 claim. For the
reasons we have already given on that part of the claim, we are satisfied that
the “based on law” requirement in section 35(2) DPA 2018 is met.
Does AFR Locate meet the three requirements of section 35(5)?
135.
On the basis that SWP’s use of AFR Locate does entail sensitive processing
does SWP’s use of AFR Locate comply with the three requirements at section
35(5) of the DPA 2018? (This is the second issue summarised above at
paragraph 129).
136.
The first of the requirements at section 35(5) is that “the processing is strictly
necessary for the law enforcement purpose”. This language comes from
Article 10 of the Law Enforcement Directive. In its ‘November 2017 Opinion
on the Law Enforcement Directive’, the Article 29 Working Party (the
advisory body set up under Article 29 of the 1995 Directive which comprises
representatives from the Data Protection Authorities of each Member State)
commented on the notion of “strict necessity” as follows:
“strictly necessary … has to be understood as a call to pay
particular attention to the necessity principle in the context of
processing special categories of data, as well as to foresee
precise and particularly solid justifications for the processing
of such data”