Information Commissioner’s Office Releases Comprehensive Audit on Police Facial Recognition Use
The Information Commissioner’s Office (ICO) has finalized its inaugural data protection audit examining the deployment of facial recognition technology (FRT) by UK police forces. The findings offer a cautiously optimistic view of current practices.
Scope and Focus of the ICO Audit
This audit represents the first formal evaluation by the ICO of how UK police services utilize facial recognition systems. The review concentrated on South Wales Police, Gwent Police, and the Metropolitan Police Service, scrutinizing their handling and safeguarding of personal data associated with FRT operations.
Published on August 20, 2025, the executive summary detailed the audit’s parameters, which were pre-agreed with the involved forces. Key areas of investigation included the fairness and accuracy of the technology’s design, as well as compliance with UK data protection legislation throughout the entire facial recognition process.
Positive Compliance Indicators and Human Oversight
Emily Keaney, an ICO representative, expressed encouragement regarding the audit results, highlighting that South Wales and Gwent Police have implemented robust procedures aligning with data protection laws. Both forces have ensured that trained personnel oversee facial recognition operations to mitigate bias and prevent fully automated decision-making.
Additionally, formal applications are required to justify the necessity and proportionality of each live facial recognition (LFR) deployment, reinforcing accountability and transparency.
Data Management and Transparency Practices
The audit revealed that South Wales and Gwent Police have thoroughly mapped their data flows and can verify the lawful origin of images used to generate biometric templates. Data protection impact assessments (DPIAs) are in place, and the data collected is limited strictly to what is necessary for operational purposes.
Moreover, individuals affected by these technologies are informed in a clear and accessible manner, supporting transparency and public trust.
Limitations and Areas for Further Improvement
Keaney emphasized that the audit provides only a temporal snapshot of FRT usage within the two forces and does not constitute blanket approval for all UK police services. Forces considering FRT deployment can learn from both the strengths and weaknesses identified.
Chief Superintendent Tim Morgan of the South Wales-Gwent digital services department welcomed the independent scrutiny, stating it enhances their ability to demonstrate ethical and fair use of facial recognition to their communities.
Concerns Over Audit Detail and Transparency
Despite the ICO issuing several recommendations, the executive summary lacked detailed explanations beyond the priority levels assigned to each suggestion. For live facial recognition, four medium and one low priority recommendations were made; retrospective facial recognition (RFR) received six medium and four low priority recommendations.
Requests for further clarification from the ICO regarding these recommendations and their implementation have gone unanswered, leaving critical questions about data retention policies and procedural reviews unresolved.
Legal Framework and Proportionality Assessments
UK police forces must ensure that any FRT deployment is legally authorized, pursues a legitimate aim, and is both necessary and proportionate to the intended purpose. However, the ICO did not disclose how these assessments are conducted or how watchlists are curated to meet these criteria.
South Wales Police provides some insight into their proportionality and necessity evaluations, but it remains unclear if the ICO has recommended improvements in this area.
Watchlist Selection and Ethical Considerations
While police assert that facial recognition is intelligence-led and targets individuals wanted for serious offenses, senior officers from the Metropolitan and South Wales Police admitted in a December 2023 parliamentary committee that watchlist images are selected based on crime categories linked to photos rather than a nuanced threat assessment of individuals.
Questions about whether South Wales Police continues this practice and how proportionality is evaluated remain unanswered by the ICO.
Data Integrity and Unlawful Image Use
The ICO confirmed that forces can demonstrate the lawful origin of watchlist images but did not clarify how they prevent the inclusion of unlawfully held images from the Police National Database, which contains millions of unauthorized photos.
Inquiries about the timing of the ICO’s audit-given that the Metropolitan Police began using FRT in August 2016 amid ongoing controversy-also received no response.
Ongoing ICO Engagement and Future Directions
The ICO has been actively involved in regulating FRT since its initial adoption by UK police forces nearly a decade ago. In 2021, it conducted investigations and issued opinions on the use of FRT by the Metropolitan, South Wales, and Gwent Police, including intervening in landmark legal cases.
A spokesperson confirmed that the ICO plans to release further guidance outlining expectations for police forces deploying FRT, as part of a broader AI and biometrics strategy aimed at establishing clear standards and scalable best practices.
The ICO’s audit recommendations are tailored to specific contexts, with broader findings expected to be published in an Outcomes Report scheduled for spring 2026, following the completion of all audits in this series.
Equality and Human Rights Commission Challenges Police Use of FRT
In August 2025, the Equality and Human Rights Commission (EHRC) was granted permission to join a judicial review challenging the Metropolitan Police’s use of live facial recognition, alleging unlawful practices.
John Kirkpatrick, EHRC Chief Executive, underscored the fundamental rights to privacy and freedom of expression, emphasizing that FRT must be deployed only when necessary, proportionate, and with adequate safeguards.
He criticized the Metropolitan Police’s current policies as falling short of these standards, calling for law enforcement agencies to align their use of FRT with human rights obligations.
Debate Over ICO’s Role and Government Regulation
Data protection expert Chris Pounder noted that the ICO’s cautious stance contrasts with the EHRC’s proactive legal challenge, suggesting that ICO involvement in judicial processes could have strengthened safeguards.
Meanwhile, the Home Secretary has pledged to introduce a regulatory code favoring FRT deployment, though it remains unclear whether this framework will have statutory authority.
