Facing up to privacy concerns: smart cities grapple with keeping surveillance compliant
The benefits often associated with government use of facial recognition technology are significant and wide-ranging. Facial recognition is promoted as being able to help stop crime by matching individuals’ images to law enforcement databases, manage access to secure areas like government buildings, remove the need for public transport ticketing systems by identifying commuters, and assist with asset management and traffic planning. At a federal level, the government is set to announce a $250 million ‘Digital Business Plan’ which will integrate a facial recognition program with myGov and welfare services. In today’s COVID-19 world, smart camera companies are equipping facial recognition cameras with thermal sensors to help identify people who may be running a fever. In short, increased convenience, greater efficiency and improved safety are all advantages associated with facial recognition technology.
Yet public concern around the ways in which facial recognition technologies intrude upon citizens’ privacy continues to plague these initiatives and hinder the effectiveness of facial recognition technology in smart city programs. A study released by Monash University in May this year found half of Australians believed their privacy was being invaded by the use of facial recognition technology in public spaces, in large part because it has been rolled out at times without sufficient public discussion and debate as to what the data collected is being used for, who it is being disclosed to, and how it is secured.
With this in mind, it’s important for local governments to consult constituents on the use of facial recognition technology prior to implementation, and put in place measures to protect constituent privacy when facial recognition technology is used to avoid any potential reputational damage for unduly intruding into constituents’ personal lives. Ensuring public confidence in the smart technologies increasingly being adopted in Australian communities, and trust in the entities adopting them, is key to getting the most out of them. Being upfront with citizens and compliant with the law are important ways to help ensure facial recognition is a local government feat, rather than a failure.
Practical tips for privacy compliance
The status of facial recognition technology at law is still unclear, because it is not specifically regulated in Australia. However, the collection of citizens’ facial images and the use of these to data match and ascertain identity is broadly regulated under privacy legislation as a form of personal information.
Local governments in Queensland and New South Wales are regulated by the Information Privacy Act 2009 (Qld) and Privacy and Personal Information Protection Act 1998 (NSW) respectively, in relation to the collection of personal information, and are bound to abide by the rights and obligations contained in the Information Privacy Principles (IPPs) of those Acts when facilitating smart city projects which involve the use of facial recognition technology.
To comply with the regulations, local governments need to follow these rules:
- Whilst local governments do not necessarily need citizens’ express permission to collect their personal information, they are required to only do so for a legitimate purpose. Therefore local governments need to ensure their use of facial recognition technology is actually required for the advancement of a genuine and lawful local government project, and is not arbitrary.
- Before capturing an individual’s image using facial recognition technology, or as soon as practicable afterwards, local governments should take all reasonable steps to inform the individual of the purposes for doing so, any law authorising the collection, and to whom the images and any associated information will be disclosed.
- When collecting facial recognition data, local governments need to take all reasonable steps to ensure that it is relevant to the purpose for which it was collected, complete and up to date, and does not unreasonably intrude into the personal affairs of the individual. The location of facial recognition cameras should therefore be carefully thought through.
- Local governments need to ensure that stored facial recognition data is protected against loss, unauthorised access, use, modification or disclosure, and any other misuse. Data security needs to be a top priority, and local governments should de-identify or encrypt the information where possible to ensure that it is safe from third party hacking and attacking, and accidental leaks. Data storage practices should focus on security, and local governments should put agreements in place with any third party storage providers to cement their security procedures.
- Local governments need to take reasonable steps to ensure individuals can find out whether the local government holds their facial recognition data, the nature of that data, the main purposes for which it is used, and whether the individual can gain access to it. Being upfront with constituents about local government implementation of facial recognition technology is critical to maintaining a positive reputation in the community.
- If an individual requests access to their facial recognition information, local governments must provide that access without excessive delay or expense.
- Local governments need to take reasonable steps to ensure the quality and accuracy of facial recognition data before using it. One of the criticisms around the use of facial recognition software internationally has been the dangers of misidentification, particularly with respect to non-Caucasian men. A 2019 United States study found that facial recognition systems were up to 100 times more likely to mistakenly identify Asian and African-American people than Caucasian men, and similar concerns have been expressed in Australia with respect to Indigenous Australians and constituents from non-Caucasian backgrounds. The technology is also limited by the fact that human faces change over time, and modifications to hairstyle, facial hair, size, and the impacts of cosmetic surgery, for example, all have the potential to distort the accuracy of facial recognition data down the line.
- When proposing to use facial recognition information for a particular purpose, local governments must only use the personal information directly relevant to fulfilling that particular purpose. Use of the information for secondary purposes is only permitted in some circumstances.
- Local governments must not disclose facial recognition data to a third party to fulfil the primary purpose for which it was collected, unless an exception applies. Disclosure to a law enforcement agency for the prevention and investigation of criminal offences or the breaching of laws falls under the exceptions. Where facial recognition data is disclosed to a third party, local governments must take reasonable steps to prevent unauthorised use or disclosure by that third party. This includes any third party databases on which the data is stored.
Human Rights Rules Reinforce Privacy Priority
The Human Rights Act 2019 commenced in Queensland last year and creates another privacy consideration for local governments. It enshrines citizens’ right to privacy, and makes it unlawful for local governments to make a decision in a way that is not compatible with the right to privacy, or which fails to give consideration to it. Local governments should therefore look at the potential impacts on the right to privacy of any decision to implement facial recognition technology, including taking note of the following factors:
- whether there are less restrictive and reasonably available ways to achieve the smart city purpose that do not limit the right to privacy; and
- the extent to which the right to privacy will be limited by the implementation of facial recognition technology.
Forecasting Future Privacy Problems
A number of other up and coming smart city initiatives have the potential to generate privacy concerns because they may involve the collection of personal information. These types of technologies include:
- voice recognition sensors in public places, which collect sound recordings to detect a range of emotions and are designed to improve public safety;
- waste bin sensors which attach to citizens’ bins and track fill levels and categorise waste to individualise waste collection processes, potentially collecting sensitive information; and
- traffic infrastructure that recognises vehicle registration plates and suggests smarter commute routes to constituents, which can, in effect, track constituents in real time.
As these tools continue to develop, local government understanding of the surrounding privacy concerns and appropriate privacy measures will also increase. In the meantime, remaining compliant with current general privacy regulation is the recommended approach to ensure a successful implementation where constituents’ privacy concerns are respected and their trust is maintained.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.